SB2025080621 - LDAP MFA Enforcement Bypass in HashiCorp Vault and Vault Enterprise
Published: August 6, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper authentication (CVE-ID: CVE-2025-6013)
The vulnerability allows a remote attacker to bypass MFA authentication.
The vulnerability exists due to the LDAP authentication method does not correctly enforce MFA if "username_as_alias" is set to true and a user has multiple CNs that are equal but with leading or trailing spaces. LDAP usernames containing additional whitespaces may be valid and result in a successful authentication from the ldap backend after normalization.
When setting the alias name on successful login, the ldap auth method would set the entity alias name to the value provided by the user rather than using the normalized user DN information returned by the ldap directory.
Due to these inconsistencies in normalizing strings with additional spaces, entity alias names and potentially duplicate entity alias ids resulted in MFA enforcement not being respected in some configurations.
Remediation
Install update from vendor's website.