Main Vulnerability Database Vulnerabilities #VU113695

Improper authentication in Vault and Vault Enterprise - CVE-2025-6013

Published: August 6, 2025

Vulnerability identifier: #VU113695

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-6013

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: HashiCorp

Affected software:
Vault
Vault Enterprise

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass MFA authentication.

The vulnerability exists due to the LDAP authentication method does not correctly enforce MFA if "username_as_alias" is set to true and a user has multiple CNs that are equal but with leading or trailing spaces. LDAP usernames containing additional whitespaces may be valid and result in a successful authentication from the ldap backend after normalization.

When setting the alias name on successful login, the ldap auth method would set the entity alias name to the value provided by the user rather than using the normalized user DN information returned by the ldap directory.

Due to these inconsistencies in normalizing strings with additional spaces, entity alias names and potentially duplicate entity alias ids resulted in MFA enforcement not being respected in some configurations.

How to mitigate CVE-2025-6013

Install updates from vendor's website.

Sources

https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092

Improper authentication in Vault and Vault Enterprise - CVE-2025-6013

Detailed vulnerability description

How to mitigate CVE-2025-6013

Sources

Please verify you're human