CVE-2025-6015: CWE-307: Improper Restriction of Excessive Authentication Attempts in HashiCorp Vault
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
AI Analysis
Technical Summary
CVE-2025-6015 is a medium-severity vulnerability affecting HashiCorp Vault and Vault Enterprise versions starting from 1.10.0. The issue relates to improper restriction of excessive authentication attempts (CWE-307) in the multi-factor authentication (MFA) login process. Specifically, the vulnerability allows an attacker with some level of privileges (PR:L - privileges required) and requiring user interaction (UI:R) to bypass the rate limits imposed on MFA login attempts. Additionally, the vulnerability permits reuse of Time-based One-Time Password (TOTP) tokens, which undermines the intended one-time use security mechanism of TOTP. The vulnerability does not impact availability or integrity but has a high impact on confidentiality, as unauthorized access to Vault could expose sensitive secrets and credentials stored within. The CVSS vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L). The vulnerability has been fixed in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. No known exploits are currently reported in the wild. The vulnerability's root cause is the insufficient enforcement of rate limiting on MFA login attempts and improper handling of TOTP token reuse, which could allow attackers to brute force or replay authentication tokens, potentially gaining unauthorized access to Vault secrets.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data managed by HashiCorp Vault, a widely used secrets management and identity-based security tool. Vault is often employed to store credentials, API keys, certificates, and other critical secrets that protect infrastructure and applications. Exploitation could lead to unauthorized disclosure of these secrets, enabling further lateral movement, privilege escalation, or data breaches. Given the regulatory environment in Europe, including GDPR, unauthorized access to sensitive information could result in legal penalties and reputational damage. Organizations relying on Vault for securing cloud-native applications, DevOps pipelines, or critical infrastructure are particularly at risk. The vulnerability's ability to bypass MFA rate limits and reuse TOTP tokens weakens a key security control, potentially allowing attackers to circumvent multi-factor authentication protections that are essential for compliance and security best practices.
Mitigation Recommendations
European organizations should urgently upgrade affected Vault instances to the patched versions: Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, or 1.16.23. Until upgrades can be applied, organizations should implement additional compensating controls such as: 1) Enforce network-level restrictions to limit access to Vault login endpoints only to trusted IP addresses or VPNs. 2) Monitor authentication logs for unusual patterns of repeated MFA attempts or TOTP token reuse and trigger alerts for investigation. 3) Temporarily increase the strictness of rate limiting at the network or application firewall level to mitigate brute force attempts. 4) Review and tighten Vault access policies to minimize the number of users with login privileges requiring MFA. 5) Educate users on the importance of MFA token security and discourage token sharing or reuse. 6) Consider integrating additional anomaly detection tools that can detect suspicious authentication behaviors. These measures, combined with prompt patching, will reduce the risk of exploitation.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Switzerland
CVE-2025-6015: CWE-307: Improper Restriction of Excessive Authentication Attempts in HashiCorp Vault
Description
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
AI-Powered Analysis
Technical Analysis
CVE-2025-6015 is a medium-severity vulnerability affecting HashiCorp Vault and Vault Enterprise versions starting from 1.10.0. The issue relates to improper restriction of excessive authentication attempts (CWE-307) in the multi-factor authentication (MFA) login process. Specifically, the vulnerability allows an attacker with some level of privileges (PR:L - privileges required) and requiring user interaction (UI:R) to bypass the rate limits imposed on MFA login attempts. Additionally, the vulnerability permits reuse of Time-based One-Time Password (TOTP) tokens, which undermines the intended one-time use security mechanism of TOTP. The vulnerability does not impact availability or integrity but has a high impact on confidentiality, as unauthorized access to Vault could expose sensitive secrets and credentials stored within. The CVSS vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L). The vulnerability has been fixed in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. No known exploits are currently reported in the wild. The vulnerability's root cause is the insufficient enforcement of rate limiting on MFA login attempts and improper handling of TOTP token reuse, which could allow attackers to brute force or replay authentication tokens, potentially gaining unauthorized access to Vault secrets.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data managed by HashiCorp Vault, a widely used secrets management and identity-based security tool. Vault is often employed to store credentials, API keys, certificates, and other critical secrets that protect infrastructure and applications. Exploitation could lead to unauthorized disclosure of these secrets, enabling further lateral movement, privilege escalation, or data breaches. Given the regulatory environment in Europe, including GDPR, unauthorized access to sensitive information could result in legal penalties and reputational damage. Organizations relying on Vault for securing cloud-native applications, DevOps pipelines, or critical infrastructure are particularly at risk. The vulnerability's ability to bypass MFA rate limits and reuse TOTP tokens weakens a key security control, potentially allowing attackers to circumvent multi-factor authentication protections that are essential for compliance and security best practices.
Mitigation Recommendations
European organizations should urgently upgrade affected Vault instances to the patched versions: Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, or 1.16.23. Until upgrades can be applied, organizations should implement additional compensating controls such as: 1) Enforce network-level restrictions to limit access to Vault login endpoints only to trusted IP addresses or VPNs. 2) Monitor authentication logs for unusual patterns of repeated MFA attempts or TOTP token reuse and trigger alerts for investigation. 3) Temporarily increase the strictness of rate limiting at the network or application firewall level to mitigate brute force attempts. 4) Review and tighten Vault access policies to minimize the number of users with login privileges requiring MFA. 5) Educate users on the importance of MFA token security and discourage token sharing or reuse. 6) Consider integrating additional anomaly detection tools that can detect suspicious authentication behaviors. These measures, combined with prompt patching, will reduce the risk of exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- HashiCorp
- Date Reserved
- 2025-06-11T19:05:27.750Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 688d04c8ad5a09ad00cb188c
Added to database: 8/1/2025, 6:17:44 PM
Last enriched: 8/1/2025, 6:33:04 PM
Last updated: 8/2/2025, 10:48:28 AM
Views: 7
Related Threats
CVE-2025-7710: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Brave Brave Conversion Engine (PRO)
CriticalCVE-2025-7500: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in oceanwp Ocean Social Sharing
MediumCVE-2025-8467: SQL Injection in code-projects Wazifa System
MediumCVE-2025-8488: CWE-862 Missing Authorization in brainstormforce Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
MediumCVE-2025-6722: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in bitslip6 BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.