Identity security and access management firm CyberArk has patched several serious vulnerabilities that could lead to unauthenticated remote code execution, potentially enabling threat actors to gain access to valuable enterprise secrets.

The vulnerabilities were found by researchers at agentic identity security firm Cyata in CyberArk Conjur, an open source secrets management solution that is used by many organizations for managing machine and AI identities and for brokering secure access between various enterprise environments. Conjur is designed for securely storing, managing and controlling access to credentials, certificates, API keys and other enterprise secrets used in cloud and DevOps environments, which could be highly valuable to threat actors. Cyata discovered a series of vulnerabilities, including ones allowing IAM authentication bypass, privilege escalation, information disclosure, and arbitrary code execution.  Chaining the flaws enables a remote, unauthenticated attacker to execute arbitrary code on the targeted system without needing any password, token or AWS credentials. The vulnerabilities are tracked as CVE-2025-49827, CVE-2025-49831 (both IAM authenticator bypasses), CVE-2025-49828 (remote code execution), CVE-2025-49830 (path traversal and file disclosure), and CVE-2025-49829 (missing validations).

CyberArk was notified about the findings in late May and the company announced the availability of patches in a blog post published on July 15. Customers had previously been notified about the flaws and patches. CyberArk’s Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur open source are affected. “As far as we know, these vulnerabilities have not been exploited in the wild, but we strongly encourage all users of the affected software to deploy the newly released patches as soon as possible,” CyberArk said. In addition to the CyberArk product vulnerabilities, Cyata researchers discovered flaws in another widely used secrets management platform, HashiCorp Vault. A total of nine vulnerabilities were found, some of them allowing remote code execution and a full system takeover. Cyata presented its findings on Wednesday at the Black Hat conference and disclosed technical details in a blog post.