I was reviewing HCSEC-2025-14 - Privileged Vault Operator May Execute Code on the Underlying Host and that raised a number of questions. I can’t reply in the other channel so I created a new thread here.
“This vulnerability, identified as CVE-2025-6000, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.”
So it’s only fixed in the latest community version? Thats a bit of a jump for some people
Is there mitigating actions? Ex if you’re not using plugins or if you’re only using stdout for audit?
You should be able to mostly mitigate, but the recommendation is to update.
Check policies for write/update access on identity/entity/id/:id
Remove sudo access on sys/audit and /sys/plugins/catalog
Check to see if you are using vulnerable auth methods and migrate if possible (e.g. userpass >> OIDC w MFA)
Thanks, is there any way to confirm that the fix ix only available in “1.20.1” for community version? That might highlight the benefit of the enterprise version but I’m sure there are lots of people using the older community version
I’ve been told that is correct, and just the link you originally posted stating its fixed in 1.20.1.
Hi, I am late to the party it seems 
I am wondering since I dont have plugins_directory defined and there is no default value for it mentioned in docs - does it mean my deployment is safe? It is strange that while plugins are required for CVE to work, nowhere is mentioned that plugins also need to be enabled But when I check how to work with plugins in docs, one of the steps is plugins_directory required in Vault config …