Main Vulnerability Database Vulnerabilities #VU113690

#VU113690 Protection Mechanism Failure in Vault and Vault Enterprise - CVE-2025-6004

Published: August 6, 2025

Vulnerability identifier: #VU113690

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-6004

CWE-ID: CWE-693

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vault
Vault Enterprise

Software vendor:
HashiCorp

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to incorrect implementation of the user lockout mechanism. A remote user can bypass the user lockout feature for Userpass and LDAP authentication methods by varying the cases of characters in the user name when an auth method was not configured to be case sensitive.

Remediation

Install updates from vendor's website.

External links

https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035

#VU113690 Protection Mechanism Failure in Vault and Vault Enterprise - CVE-2025-6004

Description

Remediation

External links

Please verify you're human