Cyber security researchers have discovered more than a dozen weaknesses in enterprise secure vaults from Cyberc and Hashicorp, if successfully used, may allow remote attackers to crack open corporate identity systems and remove enterprise secrets and tokens.
According to a report by an identity security firm Cyata, 14 weaknesses, collectively called Walt Fault, Cyberc Secrets Manager, Self-Hosted, and Kanjar Open Sources and Hasicorp Vault affect. After disclosure responsible in May 2025, the defects are addressed in the following versions –
These include authentication bypass, copying, privilege escalation bugs, code execution route and root token theft. The most serious distance in issues allows for execution, allowing the attackers to take the vault under certain conditions without any valid credentials –
- Cve-2025-49827 (CVSS Score: 9.1) – IAM Authenticator bypass in Cyberk Secrets Manager
- Cve-2025-49831 (CVSS Score: 9.1) – IAM authenticator’s bypass in Cyberk Secrets Manager through a misunderstanding network device
- Cve-2025-49828 (CVSS Score: 8.6) – Remote code execution in cyberc secrets manager
- Cve-2025-6000 (CVSS Score: 9.1) – Plugin Catalog in Hashicorp Walt Arbitrary Distance Code Performance
- Cve-2025-5999 (CVSS Score: 7.2) – Privilege enhancement to root through policy normalization in Hashicorp Walt
In addition, the lockout protection logic of the Hashicorp Walt has also been discovered for weaknesses, designed for throttle brut-form efforts, which can allow an attacker to guess that the user names are valid by taking advantage of a time-based side channel and even a known user name (eg, eg (eg, arranged for the administrator) by changing the case of the lakeouts Can reset.
The two other deficiencies identified by the Israeli company made it possible to weaken the lockout enforcement and bypass multi-factor authentication (MFA), when LDAP Autage Configuration and MFA enforce are applied to username_as_alias = True Antitid or Identidgroup levels.
In a wide attack chain by the cyber space company, it is possible to take advantage of a certificate unit copying issue (CVE-2025-6037) with CVE-2025-5999 and CVE-2025-6000 to break the authentication layer, gain privilege, and obtain code execution, and to avail the Code to get the code performance. The CVE-2025-6037 and CVE-2025-6000 are said to have exist for more than eight and nine years respectively.
Armed with this capacity, a danger actor can further make access to access to “Core/HSM/_ Barrier-Unseal-Keys” file, effectively converts a safety facility into ransomware vector. What is more, to send HTTP request to the control group facility and to receive reactions without auditing, reactions can be obtained to create a secret communication channel.
“This research shows how authentication, policy enforcement, and plugin execution all can all be distorted through logic bug, touching memory, tripping cryptography or breaking cryptography, all can be distorted,” said security researchers Yardan Poret.
In a uniform vein, the weaknesses discovered in Cyberc Secrets Manager/Kanjar allow the authentication bypass, privilege increase, information disclosure, and arbitrarily for code execution, effectively open the door to a scenario, where an attacker can craft an exploitation chain to achieve an exploitation chain and can run arbitrary commandments.
The attack sequence comes out as follows –
- Bypass by forging Getcalleridentity reactions to look valid for IAM certification
- Certified as policy resources
- To create a new host, misuse the host factory andpoint that implements a valid policy template
- A malicious embedded ruby (ERB) payload directly assigned to the host
- Tiger the execution of the enclosed ERB by implementing the policy factory andpoint
Porat said, “This exploitation chain went away from informal reach for complete remote code execution without supplying a password, token or AWS credentials.”
This disclosure comes in the form of detailed security flaws in Dell’s Controlvolt 3 firmware and its associated Windows API, which could be misbehaved by the attackers to bypass the Windows login, with the removal of the cryptographic keys, along with installing a new operating system by setting up a new operating system by installing an unwanted malignancy in the firmware. Access can also be maintained.
Together, these weaknesses create a powerful remote post-compromise firm method for secret access to high-value environment. The weaknesses identified are as follows –
- Cve-2025-25050 (CVSS Score: 8.8)-The vulnerability to write an out-of-bound is present in CV_UPGRADE_SENSOR_FIRMWARE functionality that can write an out-of-bound
- Cve-2025-25215 (CVSS Score: 8.8) – CV_Close functionality has an arbitrary free vulnerability that can be an arbitrary free
- Cve-2025-24922 (CVSS Score: 8.8) – A stack -based buffer overflow vulnerability is present in securebio_identify functionality that can cause arbitrary code execution
- Cve-2025-24311 (CVSS Score: 8.4) -CV_Send_blockdata reading an out-of-bounds in efficiency exist which can cause a information leakage
- Cve-2025-24919 (CVSS Score: 8.1) – CvhdecapsulatecMD existing a deserialization of incredible input vulnerability in functionality that can cause arbitrary code execution
The weaknesses have been named Revolt. More than 100 models of del laptops running broadcom BCM5820X series chips are affected. There is no evidence that weaknesses have been exploited in the wild.
The cyber security company also reported that a local attacker can open it with physical access to the user’s laptop and reach the Integrated Security Hub (USH) board, allowing an attacker to log in or exploit any of the five weaknesses without a full-fledged encryption password.
“Revolt attack can be used as a post-compromise technique technique, which can also live in Windows Ristol.” “Revolt attack can also be used as a physical agreement to bypass Windows Login and/or to get administrator/system privilege for any local user.”
To reduce the risk generated by these flaws, users are advised to implement the reforms provided by the del; If fingerprint readers, smart card readers, and close field communication (NFC) readers are not being used, disable control services; And turn off the fingerprint login in high -risk conditions.
