Black Hat USA 2025 | Vaulted Severance: Your Secrets Are Now Outies

The Black Hat USA 2025 talk, titled “Vaulted Severance: Your Secrets Are Now Outies,” examined critical weaknesses in modern secret‑management systems, using HashiCorp Vault as a case study. The presenters, from SIATA, framed the discussion around how vaults serve as the security backbone for enterprises and why their authentication and plugin mechanisms are attractive attack surfaces.

The researchers demonstrated that Vault’s default username‑password lockout can be circumvented by exploiting case‑permutation, effectively multiplying the allowed attempts. A second flaw allows an attacker to append a single whitespace character to an LDAP username, causing the system to skip the MFA challenge entirely. They also showed that possession of the root token grants the ability to load arbitrary plugins, provided several checks—file location, executable flag, directory path, and hash—are bypassed.

Key demos included a live brute‑force using upper‑lower case variations, a whitespace‑based MFA bypass, and a clever abuse of the audit logging backend. By setting a custom log prefix containing a “#!/bin/bash” shebang and marking the audit file as executable, the team injected a malicious script. An error response from a failed plugin load leaked the exact plugin directory, completing the chain to remote code execution.

These findings force enterprises to rethink default Vault configurations: enforce stricter lockout policies, normalize usernames consistently, restrict root‑token usage, and audit the audit‑log feature itself. Failure to remediate could let adversaries exfiltrate credentials, pivot across networks, and gain full control of critical infrastructure.