Cyata Discovers Critical Vulnerabilities in HashiCorp Vault, CyberArk Conjur

Cyata, the first control plane for agentic identities, recently announced 14 critical vulnerabilities in HashiCorp Vault and CyberArk Conjur, the most widely deployed secrets management platforms used by enterprises worldwide. The vulnerabilities were potentially exploitable for years and include complete unauthenticated remote code execution chains affecting systems protecting the “keys to the kingdom” for thousands of enterprises globally.

Enterprise vaults serve as the single system safeguarding an organisation’s most sensitive secrets—database passwords, API keys, certificates, and access tokens that control entire digital infrastructures. The vast majority of Fortune 500 companies use HashiCorp or CyberArk’s solutions, including NVIDIA, Stripe, Adobe, Salesforce, Citibank, Walgreens, Samsung, ADT, Lufthansa, and ING.

“This represents the worst-case scenario for enterprise security,” said Shahar Tal, CEO of Cyata. “When attackers can compromise the vault without any authentication, they literally gain the keys to the kingdom—access to every database, every API, every cloud resource across an entire organisation. In some cases, we achieved full vault compromise with just a single unauthenticated API request—no credentials, no friction.”

Cyata Presents Concerning Findings

Cyata’s research team discovered nine vulnerabilities in HashiCorp Vault and five in CyberArk Conjur, several of which received CVSS scores of 9.1 or higher. Critically, the research uncovered Remote Code Execution (RCE) chains in both platforms. For HashiCorp Vault, this marks the first RCE ever discovered in the project’s 10-year history, stemming from a flaw that had remained exploitable for over nine years; the most severe findings demonstrate complete pre-authentication compromise chains:

• HashiCorp Vault: Multiple vulnerabilities affecting the platform’s most widely used authentication methods, including username/password, LDAP, and MFA systems. One vulnerability allows attackers to bypass user lockout protections through simple case manipulation, effectively allowing unlimited attempts, while another bypasses the requirement for MFA, frequently relied on as a second line of defenc
• CyberArk Conjur: A complete unauthenticated remote code execution chain that allows attackers to gain full system control without any valid credentials. The attack begins with an IAM authentication bypass that redirects STS validation to attacker-controlled servers, then escalates through host factory abuse and policy template injection to achieve arbitrary code execution.

Cyata followed responsible disclosure practices, reporting the vulnerabilities to both HashiCorp and CyberArk. The companies immediately moved to verify the vulnerabilities, develop patches, notify their clients and work closely with Cyata to ensure a thorough and effective resolution.

A Dedicated Landing Page and Recommendations of Action

Cyata has created a dedicated landing page at https://cyata.ai/vault-fault with detailed technical information, indicators of compromise, and tools  to help organizations determine if they may have been affected. The page includes comprehensive details for all 14 CVEs and technical remediation guidance. In addition to urgently applying patches from HashiCorp and CyberArk, organisations should:

• Review vault access logs for suspicious authentication patterns or token usag.e
• Use Cyata’s published detection tooling to identify potential compromise.
• Prepare incident response plans specifically for vault compromise scenarios.
• Consider implementing additional monitoring and access controls around vault systems.

The research findings were presented at Black Hat USA 2025 by Shahar Tal, CEO and Co-Founder of Cyata, and lead researcher Yarden Porat.