SB2025080578 - Multiple vulnerabilities in HashiCorp Vault and Vault Enterprise

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2025-6037)

The vulnerability allows a remote attacker to impersonate other application users. 

The vulnerability exists due to the application does not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. A remote attacker can  craft a malicious certificate that could be used to impersonate another user.

2) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2025-6011)

The vulnerability allows a remote attacker to guess existing user accounts. 

The vulnerability exists due to the way the application handles authentication requests when authenticating users with username and password. A remote attacker can distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s userpass auth method.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-6000)

The vulnerability allows a remote user to execute arbitrary code on the host.

The vulnerability exists due to improperly imposed security restrictions. A privileged Vault operator within the root namespace with write permission to sys/audit may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration.

4) Improper Authentication (CVE-ID: CVE-2025-6015)

The vulnerability allows a remote user to bypass 2FA authentication.

The vulnerability exists due to the application does not properly normalize TOTP codes prior to enforcing the once-per-validity-window check. A remote attacker with knowledge of victim;s credentials can resubmit a previously used code during the MFA check and bypass MFA authentication.

5) Protection Mechanism Failure (CVE-ID: CVE-2025-6004)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to incorrect implementation of the user lockout mechanism. A remote user can bypass the user lockout feature for Userpass and LDAP authentication methods by varying the cases of characters in the user name when an auth method was not configured to be case sensitive.

6) Improper authentication (CVE-ID: CVE-2025-6014)

The vulnerability allows a remote attacker to bypass TOTP authentication.

The vulnerability exists due to used code entries in the TOTP used code cache were not normalized, making it possible to reuse existing codes by appending whitespace. A remote user with knowledge of existing user credentials can bypass TOTP authentication. 

Remediation

Install update from vendor's website.

References

• https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037
• https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
• https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
• https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038
• https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035
• https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036