CVE-2025-6011 is a timing side-channel vulnerability affecting HashiCorp Vault and Vault Enterprise's Userpass authentication method. The vulnerability arises because the authentication process leaks timing information that allows an attacker to distinguish between valid and invalid usernames. Specifically, the time taken to respond to authentication attempts differs measurably depending on whether the username exists in the system or not. This discrepancy enables an attacker to enumerate valid usernames by measuring response times, which is a form of information disclosure categorized under CWE-203 (Observable Discrepancy). The vulnerability does not allow direct compromise of credentials or system integrity but leaks sensitive information that can facilitate further attacks, such as targeted brute force or social engineering. The issue affects multiple versions of Vault prior to the patched releases: Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The CVSS v3.1 score is 3.7 (low severity), reflecting the limited impact on confidentiality and no impact on integrity or availability. Exploitation requires network access but no authentication or user interaction. No known exploits are currently reported in the wild. The vulnerability is mitigated by applying the patches released by HashiCorp in the specified versions.

For European organizations using HashiCorp Vault with the Userpass authentication method, this vulnerability poses a risk of user enumeration. While the direct impact is limited to information disclosure, the ability to identify valid usernames can significantly aid attackers in launching targeted attacks such as credential stuffing, phishing, or brute force attempts. This is particularly concerning for organizations managing sensitive data or critical infrastructure, where user credentials are a valuable target. The vulnerability does not allow direct compromise of Vault secrets or system availability but weakens the security posture by exposing valid user identifiers. Organizations in sectors like finance, healthcare, government, and critical infrastructure in Europe, which often rely on Vault for secrets management, could see an increased risk of follow-on attacks if this vulnerability is not addressed. However, the low CVSS score and absence of known exploits suggest the immediate risk is moderate but should not be ignored.

1. Apply the official patches released by HashiCorp for Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23 as soon as possible to eliminate the timing discrepancy. 2. If immediate patching is not feasible, implement network-level controls such as rate limiting and IP blacklisting to reduce the feasibility of automated username enumeration attempts. 3. Monitor authentication logs for unusual patterns indicative of enumeration attempts, such as repeated failed login attempts with varying usernames. 4. Consider disabling the Userpass authentication method if it is not required or replacing it with more secure authentication methods supported by Vault, such as token-based or OIDC authentication. 5. Educate security teams to recognize the risks associated with user enumeration and incorporate this vulnerability into threat modeling and incident response plans. 6. Employ application-layer mitigations like introducing uniform response times or error messages to reduce timing side-channel leakage if custom authentication methods are used.