CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Vault Fault vulnerabilities in CyberArk and HashiCorp Vaults enable remote takeover

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

Over a dozen vulnerabilities, collectively named Vault Fault, have been discovered in CyberArk and HashiCorp enterprise secure vaults. These flaws allow remote attackers to bypass authentication, escalate privileges, and execute arbitrary code, potentially leading to the extraction of enterprise secrets and tokens. The vulnerabilities affect CyberArk Secrets Manager, Self-Hosted, Conjur Open Source, and HashiCorp Vault. The most severe issues permit remote code execution and vault takeover without valid credentials. These vulnerabilities have been addressed in recent updates, but some have existed for years. The flaws include authentication bypasses, impersonation, privilege escalation, and code execution pathways. The vulnerabilities can be chained to create sophisticated attack sequences, including bypassing multi-factor authentication (MFA) and exploiting lockout protection logic. These flaws can be weaponized to turn security features into ransomware vectors or create stealthy communication channels.

Timeline

  1. 09.08.2025 08:15 📰 1 articles · ⏱ 1mo ago

    Vault Fault vulnerabilities disclosed and patched in August 2025

    Over a dozen vulnerabilities, collectively named Vault Fault, were discovered in CyberArk and HashiCorp enterprise secure vaults. These flaws allow remote attackers to bypass authentication, escalate privileges, and execute arbitrary code, potentially leading to the extraction of enterprise secrets and tokens. The vulnerabilities have been addressed in recent updates, but some have existed for years. The flaws include authentication bypasses, impersonation, privilege escalation, and code execution pathways. The vulnerabilities can be chained to create sophisticated attack sequences, including bypassing multi-factor authentication (MFA) and exploiting lockout protection logic. These flaws can be weaponized to turn security features into ransomware vectors or create stealthy communication channels.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Open in new tab

Phoenix Rowhammer attack bypasses DDR5 Rowhammer defenses

A new Rowhammer attack variant, called Phoenix, bypasses the latest protection mechanisms on DDR5 memory chips from SK Hynix. This attack exploits vulnerabilities in the Target Row Refresh (TRR) mechanism to flip bits in memory, enabling privilege escalation and unauthorized access. The attack was developed by researchers at ETH Zurich University and Google, and it affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The Phoenix attack can corrupt data, increase privileges, execute malicious code, or access sensitive data. It works by repeatedly accessing specific rows of memory cells to cause electrical interference, altering nearby bits. The attack is tracked as CVE-2025-6202 and has been assigned a high-severity score. The researchers demonstrated the attack's effectiveness by successfully flipping bits on all 15 DDR5 memory chips in their test pool, achieving root privileges in under two minutes. They also showed that the attack can break SSH authentication and alter system binaries to escalate local privileges. The researchers recommend increasing the refresh rate to 3x to mitigate the Phoenix attack.

Open in new tab

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Open in new tab

New HybridPetya Ransomware Exploits UEFI Secure Boot Bypass Vulnerability

A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.

Open in new tab

Active exploitation of CVE-2025-5086 in DELMIA Apriso

CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.

Open in new tab