Main Vulnerability Database Vulnerabilities #VU113692

#VU113692 Improper authentication in Vault and Vault Enterprise - CVE-2025-6014

Published: August 6, 2025

Vulnerability identifier: #VU113692

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-6014

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vault
Vault Enterprise

Software vendor:
HashiCorp

Description

The vulnerability allows a remote attacker to bypass TOTP authentication.

The vulnerability exists due to used code entries in the TOTP used code cache were not normalized, making it possible to reuse existing codes by appending whitespace. A remote user with knowledge of existing user credentials can bypass TOTP authentication.

Remediation

Install updates from vendor's website.

External links

https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036

#VU113692 Improper authentication in Vault and Vault Enterprise - CVE-2025-6014

Description

Remediation

External links

Please verify you're human