Researchers report critical flaws in CyberArk vaults
Take action: If you use CyberArk Conjur or Secrets Manager, immediately update to the latest patched versions released after June 19, 2025, as attackers can completely bypass authentication and take control of your systems. If you can't patch immediately, restrict network access to these systems using firewalls or private networks to limit exposure until you can update.
Learn More
Security researchers are reporting critical vulnerabilities in CyberArk vaults.
These vulnerabilities are collectively named "VaultFault,"
Vulnerabilities summary
- CVE-2025-49827 (CVSS 9.1) - Bypass of IAM Authenticator in Secrets Manager
- CVE-2025-49831 (CVSS 9.1) - IAM Authenticator Bypass via Mis-configured Network Device in Secrets Manager
- CVE-2025-49828 (CVSS 8.6) - Remote Code Execution in Secrets Manager
- CVE-2025-49830 (CVSS 7.1) - Path traversal and file disclosure in Secrets Manager
- CVE-2025-49829 (CVSS 6.0) - Missing validations in Secrets Manager, Self-Hosted
Researchers demonstrated a full pre-authentication remote code execution chain that begins with bypassing AWS IAM authentication mechanisms and escalates to complete system control. The attack exploits malformed regular expressions in IAM authenticator validation, allowing attackers to redirect authentication requests to malicious servers under their control, effectively bypassing the entire authentication framework.
CyberArk published five CVEs on June 19, 2025. Patches are now available in their latest software versions.
Organizations should update to the latest versions of Conjur as soon as possible. For organizations unable to patch immediately, security teams should implement network access restrictions using firewalls, private networking, or proxy layers to limit exposure.
