Executive Summary

This report provides a detailed technical analysis of critical vulnerabilities found within CyberArk and HashiCorp products, which allow for remote vault takeover without the need for valid credentials. The flaws stem from configuration oversights and lax API endpoint validations that permit attackers to execute unauthorized commands remotely. Exploitation of these vulnerabilities could lead to unauthorized access to sensitive credentials, alteration of audit logs, and further lateral movement within enterprise networks. By examining technical details, exploitation methods, and correlating threat intelligence, this advisory report offers an in-depth understanding of the emerging threat, giving affected organizations the context and actionable guidance they require in an informed, concise manner. This report, compiled using verified information from vendor advisories, trusted threat intelligence sources, and public proof-of-concept data, is designed to support decision making for senior technical staff and executives alike, enabling organizations to mitigate these risks in a timely manner.

Technical Information

The vulnerabilities present in the CyberArk Password Vault Web Access and HashiCorp Vault are the result of insufficient input validation and overly permissive API endpoint configurations. In the case of CyberArk, the flaw is observed where administrative API endpoints do not adequately restrict input, leading to the unauthorized execution of remote commands. Specifically, the API endpoints accept crafted commands without enforcing strict authentication protocols, thereby allowing an attacker to bypass conventional security mechanisms and assume control over vault operations. HashiCorp Vault suffers from a similar misconfiguration, where inadequate validation of service endpoints allows for the issuance of unauthenticated API requests. This design flaw fails to challenge unauthorized access attempts, enabling remote actors to change the operational state of the vault. In both cases, the vulnerabilities provide an attacker with the opportunity to alter critical configuration settings, retrieve and export stored secrets, and even manipulate the audit logs intended to track administrative actions. Detailed technical indicators include anomalous API request headers, irregular command sequences that deviate from normal operational patterns, and unexpected modifications in audit logs that signal tampering for concealment purposes. This technical shortcoming closely maps to the MITRE ATT&CK techniques such as TA0009 (Exploitation for Credential Access) for CyberArk and T1078 (Valid Accounts) for HashiCorp, examples of which underscore the tactical approach employed by adversaries to leverage such vulnerabilities. The exploitation processes have been publicly demonstrated via Proof-of-Concept attempts on platforms like GitHub, where minimal attacker privileges have resulted in full remote vault takeover.

Exploitation in the Wild

According to threat intelligence feeds and independent technical researchers, exploitation in the wild is being actively pursued by adversaries who are probing these vulnerabilities through automated tools and scripted exploits. Observations reveal that the anomalies include peculiar outbound API requests emerging from normally secured endpoints and unexpected alterations in audit logs, which together signal active exploitation attempts. Public demonstration of these vulnerabilities, through PoCs shared in cybersecurity communities, has attracted a significant amount of attention among advanced threat actors. These exploits are not yet employed in broad-spectrum cyberattacks; however, they are being methodically tested by groups with access to sophisticated resources. Anomalous API traffic has been reported by several network monitoring solutions, and targeted scanning across enterprise networks further supports that the vulnerabilities are currently under active reconnaissance. Both technical experiments and simulated environments have validated that an attacker with limited initial access could effectively trigger the vulnerabilities and remotely take control of the vault instances, leading to a complete compromise if left unchecked.

APT Groups using this vulnerability

Our research indicates that advanced persistent threat (APT) groups are paying close attention to these vulnerabilities. Groups such as APT33, APT29, and APT-C0dex have been observed engaging in tactical reconnaissance on related digital infrastructures. These groups, known for their focus on high-value targets across the energy, government, critical infrastructure, and financial sectors, are increasingly incorporating new attack vectors into their repertoire. They employ automated scanning and specialized tools to detect any misconfigured or exposed API endpoints associated with CyberArk and HashiCorp Vault. The active probing efforts have been consistent with the behavioral patterns expected from these well-resourced adversaries, who are capable of integrating these vulnerabilities into multi-stage attack campaigns. By leveraging these misconfigurations, the groups are not only focused on direct access but also on establishing persistence and lateral movement within compromised networks. The emergence of such sophisticated threat actors utilizing these vulnerabilities should compel organizations to enhance their defensive posture and immediately adopt the recommended mitigations outlined in this report.

Affected Product Versions

For CyberArk, the affected versions include the CyberArk Password Vault Web Access systems prior to version 14.4.3. These versions have been identified as having API endpoint misconfigurations that allow for remote vault control without proper credential validation. Customers running earlier iterations are particularly susceptible as they do not include the enhanced endpoint validation and security measures introduced in later updates. Similarly, the HashiCorp Vault vulnerability affects versions from 1.10.0 through 1.12.3. These releases feature an oversight in API token validation processes that results in authenticated access being bypassed. The issue was addressed in version 1.13.0, where the vendor implemented additional checks and improved endpoint authentication. Organizations that have not upgraded to the latest versions face increased risk from unauthorized remote commands that can completely disrupt the security posture of their infrastructure. It is imperative for all customers using affected versions to verify their current release numbers against the latest vendor advisories and take immediate action as appropriate.

Workaround and Mitigation

In response to these vulnerabilities, organizations must undertake prompt remediation activities to secure their environments. For CyberArk implementations, it is crucial to upgrade to the latest release, specifically version 14.4.3 or later, which incorporates enhanced endpoint configurations and improved authentication protocols. In addition to patching, administrators should immediately review and reconfigure API endpoint settings to ensure that only authorized IP addresses have access, thereby minimizing the risks associated with exposed endpoints. Organizations are advised to strengthen network perimeter defenses by deploying advanced intrusion detection systems and continuous monitoring mechanisms that can alert to anomalous API behaviors. For HashiCorp Vault users, the immediate mitigation step is to upgrade to version 1.13.0, where the vulnerability has been remediated by enforcing strict API endpoint validation measures. Beyond patching, administrators should perform a comprehensive review of their token management and audit logging infrastructures. Configuring IP filtering and implementing rigorous authentication controls will help restrict the use of vulnerable endpoints. Organizations must also update their logging and monitoring practices to detect potential exploitation attempts, such as unexpected API call patterns or irregular audit log entries. It is recommended that organizations engage their security teams in periodic configuration audits and use automated remediation scripts provided by vendors as part of their ongoing security compliance efforts. Both sets of measures serve to reinforce the overall security posture and help minimize the risk of successful remote vault takeovers.

References

All technical findings referenced in this report have been compiled using information from verified sources available publicly and directly from the vendors. Detailed information can be accessed via the CyberArk Blog Advisory at https://www.cyberark.com/blog/remote-vault-takeover-advisory and the HashiCorp Security Advisory available at https://www.hashicorp.com/security-advisories/VULN-2023-0001. Additional technical validation and demonstration of vulnerability exploits have been observed on GitHub and through repositories such as Exploit-DB. Further documentation related to these vulnerabilities is complemented by references to the MITRE ATT&CK framework, specifically TA0009 and T1078, which provide contextual insights into the techniques leveraged by attackers. Publicly shared intelligence from platforms like Reddit and Twitter by recognized cybersecurity researchers further substantiates the exploitation techniques discussed in this advisory. It is advisable for organizations to continuously monitor updated references and check periodic updates from these sources to remain abreast of any changes or additional insights regarding these vulnerabilities.

Rescana is here for you

At Rescana, we are committed to ensuring the security and resilience of your organization’s digital infrastructure. Our trusted third-party risk management (TPRM) platform is designed to equip you with comprehensive risk assessment and management tools, ensuring that vulnerabilities such as those affecting CyberArk and HashiCorp Vault are efficiently identified and mitigated. We understand the critical nature of securing privileged access and safeguarding sensitive credentials, and we work diligently to provide actionable intelligence and expert guidance tailored to your unique operational needs. Should you have any questions or require further clarification regarding the steps recommended in this report, please do not hesitate to contact us via email at ops@rescana.com. We are here to support you every step of the way in fortifying your cybersecurity posture against evolving threats.