Main Vulnerability Database Vulnerabilities #VU113690

Protection Mechanism Failure in Vault and Vault Enterprise - CVE-2025-6004

Published: August 6, 2025

Vulnerability identifier: #VU113690

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-6004

CWE-ID: CWE-693

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: HashiCorp

Affected software:
Vault
Vault Enterprise

Detailed vulnerability description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to incorrect implementation of the user lockout mechanism. A remote user can bypass the user lockout feature for Userpass and LDAP authentication methods by varying the cases of characters in the user name when an auth method was not configured to be case sensitive.

How to mitigate CVE-2025-6004

Install updates from vendor's website.

Sources

https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035

Protection Mechanism Failure in Vault and Vault Enterprise - CVE-2025-6004

Detailed vulnerability description

How to mitigate CVE-2025-6004

Sources

Please verify you're human