Main Vulnerability Database Vulnerabilities #VU113692

Improper authentication in Vault and Vault Enterprise - CVE-2025-6014

Published: August 6, 2025

Vulnerability identifier: #VU113692

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-6014

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: HashiCorp

Affected software:
Vault
Vault Enterprise

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass TOTP authentication.

The vulnerability exists due to used code entries in the TOTP used code cache were not normalized, making it possible to reuse existing codes by appending whitespace. A remote user with knowledge of existing user credentials can bypass TOTP authentication.

How to mitigate CVE-2025-6014

Install updates from vendor's website.

Sources

https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036

Improper authentication in Vault and Vault Enterprise - CVE-2025-6014

Detailed vulnerability description

How to mitigate CVE-2025-6014

Sources

Please verify you're human