Skip to main content

CVE-2025-6015: CWE-307: Improper Restriction of Excessive Authentication Attempts in HashiCorp Vault

Medium
VulnerabilityCVE-2025-6015cvecve-2025-6015cwe-307
Published: Fri Aug 01 2025 (08/01/2025, 18:03:53 UTC)
Source: CVE Database V5
Vendor/Project: HashiCorp
Product: Vault

Description

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

AI-Powered Analysis

AILast updated: 08/01/2025, 18:33:04 UTC

Technical Analysis

CVE-2025-6015 is a medium-severity vulnerability affecting HashiCorp Vault and Vault Enterprise versions starting from 1.10.0. The issue relates to improper restriction of excessive authentication attempts (CWE-307) in the multi-factor authentication (MFA) login process. Specifically, the vulnerability allows an attacker with some level of privileges (PR:L - privileges required) and requiring user interaction (UI:R) to bypass the rate limits imposed on MFA login attempts. Additionally, the vulnerability permits reuse of Time-based One-Time Password (TOTP) tokens, which undermines the intended one-time use security mechanism of TOTP. The vulnerability does not impact availability or integrity but has a high impact on confidentiality, as unauthorized access to Vault could expose sensitive secrets and credentials stored within. The CVSS vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L). The vulnerability has been fixed in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. No known exploits are currently reported in the wild. The vulnerability's root cause is the insufficient enforcement of rate limiting on MFA login attempts and improper handling of TOTP token reuse, which could allow attackers to brute force or replay authentication tokens, potentially gaining unauthorized access to Vault secrets.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data managed by HashiCorp Vault, a widely used secrets management and identity-based security tool. Vault is often employed to store credentials, API keys, certificates, and other critical secrets that protect infrastructure and applications. Exploitation could lead to unauthorized disclosure of these secrets, enabling further lateral movement, privilege escalation, or data breaches. Given the regulatory environment in Europe, including GDPR, unauthorized access to sensitive information could result in legal penalties and reputational damage. Organizations relying on Vault for securing cloud-native applications, DevOps pipelines, or critical infrastructure are particularly at risk. The vulnerability's ability to bypass MFA rate limits and reuse TOTP tokens weakens a key security control, potentially allowing attackers to circumvent multi-factor authentication protections that are essential for compliance and security best practices.

Mitigation Recommendations

European organizations should urgently upgrade affected Vault instances to the patched versions: Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, or 1.16.23. Until upgrades can be applied, organizations should implement additional compensating controls such as: 1) Enforce network-level restrictions to limit access to Vault login endpoints only to trusted IP addresses or VPNs. 2) Monitor authentication logs for unusual patterns of repeated MFA attempts or TOTP token reuse and trigger alerts for investigation. 3) Temporarily increase the strictness of rate limiting at the network or application firewall level to mitigate brute force attempts. 4) Review and tighten Vault access policies to minimize the number of users with login privileges requiring MFA. 5) Educate users on the importance of MFA token security and discourage token sharing or reuse. 6) Consider integrating additional anomaly detection tools that can detect suspicious authentication behaviors. These measures, combined with prompt patching, will reduce the risk of exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
HashiCorp
Date Reserved
2025-06-11T19:05:27.750Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 688d04c8ad5a09ad00cb188c

Added to database: 8/1/2025, 6:17:44 PM

Last enriched: 8/1/2025, 6:33:04 PM

Last updated: 8/2/2025, 10:48:28 AM

Views: 7

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats