This audio is auto-generated. Please let us know if you have feedback. ORLANDO, Fla. — Workplace safety experts have long been focused not just on workers' physical wellbeing but their mental health as well. That rang true at the American Society of Safety Professionals 2025 Expo and Conference in July. “It definitely is [our responsibility],”
You are here: Home / News / Cosmos Health Enters $300 Million Financing Deal to Support Ethereum Treasury Plan Cosmos Health secures up to $300M to build Ethereum treasury, boosting shareholder value. Cosmos Health explores yield-generating strategies to maximize returns from Ethereum holdings. Ethereum treasury firms, like Cosmos Health, are more investable than U.S. spot
The specialist in brickwork, scaffolding and steel frame systems (SFS), delivered the full masonry package to the newly opened Derwent Unit, which is based at Chesterfield Royal Hospital in Chesterfield. At the Carsington Unit, which sits in the grounds of Kingsway Hospital in Derby, Phoenix provided masonry and BMH Scaffolding supplied all the scaffolding requirements
Two Zara ads have been banned in the UK for featuring models who looked “unhealthily thin”. The Advertising Standards Authority (ASA) said one model looked “gaunt” because of shadows and her hairstyle, the BBC reported. Another model’s shirt revealed sticking-out collarbones. The ASA said both ads were “irresponsible” and must not appear again. They also
Opinions expressed by Entrepreneur contributors are their own. "It's all about location, location, location" is the old but humorous business adage about the importance of where property is located and how that affects its valuation. This is a phrase that is ubiquitous among real estate vendors and agents worldwide. But location aside, there is another
This audio is auto-generated. Please let us know if you have feedback. ORLANDO, Fla. — Workplace safety experts have long been focused not just on workers' physical wellbeing but their mental health as well. That rang true at the American Society of Safety Professionals 2025 Expo and Conference in July. “It definitely is [our responsibility],”
You are here: Home / News / Cosmos Health Enters $300 Million Financing Deal to Support Ethereum Treasury Plan Cosmos Health secures up to $300M to build Ethereum treasury, boosting shareholder value. Cosmos Health explores yield-generating strategies to maximize returns from Ethereum holdings. Ethereum treasury firms, like Cosmos Health, are more investable than U.S. spot
The specialist in brickwork, scaffolding and steel frame systems (SFS), delivered the full masonry package to the newly opened Derwent Unit, which is based at Chesterfield Royal Hospital in Chesterfield. At the Carsington Unit, which sits in the grounds of Kingsway Hospital in Derby, Phoenix provided masonry and BMH Scaffolding supplied all the scaffolding requirements
Two Zara ads have been banned in the UK for featuring models who looked “unhealthily thin”. The Advertising Standards Authority (ASA) said one model looked “gaunt” because of shadows and her hairstyle, the BBC reported. Another model’s shirt revealed sticking-out collarbones. The ASA said both ads were “irresponsible” and must not appear again. They also
Researchers at Cyata, an agentic identity specialist that has just emerged from stealth, found 14 CVEs in the widely used CyberArk Conjur and HashiCorp Vault enterprise secrets management platforms
A total of 14 common vulnerabilities and exposures (CVEs) spanning CyberArk’s Conjur and HashiCorp’s Vault enterprise secrets management platforms have been addressed and disclosed this week, after being discovered by researchers at Cyata, an emergent, Israel-based startup working in the field of agentic identity.
Taken as a whole, the critical issues demonstrated “complete compromise” of the secrets management systems that protect virtually every Fortune 500 organisation, said Cyata. The vulnerability set, comprising five issues in Conjur and nine in Vault, has likely been exploitable for several years and includes issues that enable remote code execution (RCE).
Cyata CEO and Check Point alumni Shahar Tal said the disclosures represented a worst-case scenario for enterprise security.
“When attackers can compromise the vault without any authentication, they literally gain the keys to the kingdom – access to every database, every API [application programming interface], every cloud resource across an entire organisation,” he said.
“In some cases, we achieved full vault compromise with just a single unauthenticated API request – no credentials, no friction.”
Notable among the Conjur vulnerabilities is a complete, unauthenticated RCE chain that arises from the service’s default Amazon Web Services (AWS) integration setup.
When attackers can compromise the vault without any authentication, they gain the keys to the kingdom – access to every database, every API, every cloud resource across an entire organisation Shahar Tal, Cyata
Exploiting it would enable an attacker to gain full system control without any valid credentials, tokens, or even a real AWS account.
The attack chain in question begins with an identity and access management (IAM) authentication bypass that redirects AWS security token service (STS) validation to a server controlled by an attacker.
This condition achieved, the attacker can impersonate any AWS identity they like without supplying a single credential, then escalate to create and control their own hosts to achieve remote code execution in a “seamless, start-to-finish” exploit chain in which every step uses default behaviour that doesn’t look out of place until it’s too late.
The exploit chain was reported to CyberArk on 23 May 2025 per the organisation’s disclosure policies, and the five CVEs in scope began to be issued on 19 June.
When trust can’t be trusted
The set of nine HashiCorp CVEs – which are classed as zero-days – enabled attackers, and include the first ever identified RCE vulnerability reported in Vault’s 10-year history, which stemmed from a flaw that appears to have been exploitable for almost as long.
Collectively, the vulnerabilities affected some of Vault’s most popular authentication methods, such as traditional usernames and passwords, Lightweight Directory Access Protocol (LDAP) and multifactor authentication (MFA).
Cyata’s researchers said the issues stemmed entirely from logic flaws and failures that, taken individually and together, create dangerous attack paths in real-world deployments where misconfigurations and excessive permissions can be widespread.
The RCE flaw, tracked as CVE-2025-6000, arises at the end of a chain, through which an attacker can create a malicious custom plugin.
If they can successfully achieve this goal and execute their attack, attackers can achieve persistent and low-visibility access to their victims’ environments. But more concerningly, they can turn Vault’s encryption mechanism upside down, changing it from a protective measure to a component in a ransomware extortion attack.
This is possible because Vault stores critical policies, secrets and tokens encrypted on disk, with a specific file needed for decryption. Should someone delete this file, however, Vault will permanently lose access to its encryption key, and even an administrator won’t be able to get it back, said Cyata.
As with CyberArk, the vulnerabilities were disclosed to HashiCorp in May, and the CVEs were issued on 12 June across open source and enterprise versions of Vault.
Tips for CISOs
Alongside Tal, Cyata lead researcher Yarden Porat demonstrated the findings at Black Hat USA this week, alongside the coordinated disclosure announcement. The firm has also set up a dedicated landing page where security practitioners can find more in-depth technical details, indicators of compromise (IoCs) and other useful tools.
In addition to approving and applying the patches from CyberArk and HashiCorp immediately, security teams should also take steps to review their vault access logs for any suspicious activity, work to identify potential compromises using the newly published detection tooling, and prepare incident response plans for the outlined scenarios, should they unfold.
It would also be wise to consider implementing more monitoring and access controls around vault systems, said Cyata.
Read more on Identity and access management products
