BLACK HAT USA – Las Vegas – Wednesday, Aug. 6 – Researchers have unearthed nine zero-day security vulnerabilities in HashiCorp Vault and five in CyberArk Conjur, password vaults used by thousands of companies. Secret management platforms like these are the most sensitive systems you can find at any enterprise. It's why they're also referred to as "vaults" — they're the big, iron doors that protect all of an enterprise's passwords, certificates, encryption keys, application programming interface (API) keys, etc. "It's critical infrastructure," emphasizes Shahar Tal, CEO and co-founder of Cyata, which discovered the issues. The imagination is strained to even conceive of a cyberattack worse than the compromise of a vault, he adds: "You'd need to replace every single secret in your organization. An attacker can ransomware your entire vault and take every secret hostage. Aside from accessing everything, they could literally compromise everything in your network." At Black Hat USA 2025, Tal and his colleague revealed 14 previously unknown vulnerabilities in two leading secret managers: HashiCorp Vault and CyberArk Conjur. Some of these issues were lying in wait for years. They enabled authentication bypass, root access, remote code execution (RCE), and ultimately total compromise of all of a company's most valuable secrets.

The issues in Conjur all folded into a single, authentication-less RCE exploit chain. The researchers worked with a standard deployment integrated with AWS. Not with a real AWS account, though, because legitimate authentication wasn't required. Conjur is designed to authenticate users via an official AWS server, but the function it uses to authenticate that server was vulnerable to unvalidated user input. By adding a single special character — in this case, a question mark — to the region name in the identity verification request, they were able to redirect the authentication check to their own server. Even more inventive was their means of escalating privileges. Instead of just impersonating a regular user (a host), they authenticated as a policy — the very thing that allocates permissions to users and services. This mind-twisting trick, Tal explains in a briefing with Dark Reading, "is a very interesting quirk. Usually you're supposed to authenticate as a machine, or as some type of recognizable entity. But we found that if you try to authenticate as a policy, which doesn't make sense in any other way, it will give us exactly what we need in order to continue to escalate our privileges." The other major breakthrough came when the researchers found that Conjur's two-year-old "Policy Factory" feature allows templates to contain Embedded Ruby (ERB) code, which runs when the template is used. They used this as their vehicle to load and run arbitrary malicious code. In all, the Conjur vulnerabilities earned Common Vulnerability Scoring System (CVSS) ratings ranging from "critical" 9.1s — those enabling the initial authentication bypass — to a "moderate" 6.0. "I know there are going to be static secrets for a while, but they're fading away," Tal says. "We should be managing [users], rather than secrets. We should be contextualizing behaviors, evaluating the kinds of identities and machines of users that are performing actions, and then making decisions based on their behavior, not just what secrets they hold. I think that secrets are not a bad thing for now, but eventually we're going to move to the next generation of identity infrastructure."

We should be managing [users], rather than secrets. We should be contextualizing behaviors, evaluating the kinds of identities and machines of users that are performing actions, and then making decisions based on their behavior, not just what secrets they hold. I think that secrets are not a bad thing for now, but eventually we're going to move to the next generation of identity infrastructure.