CVE-2025-6015 is a medium-severity vulnerability affecting HashiCorp Vault and Vault Enterprise versions starting from 1.10.0. The issue relates to improper restriction of excessive authentication attempts (CWE-307) in the multi-factor authentication (MFA) login process. Specifically, the vulnerability allows an attacker with some level of privileges (PR:L - privileges required) and requiring user interaction (UI:R) to bypass the rate limits imposed on MFA login attempts. Additionally, the vulnerability permits reuse of Time-based One-Time Password (TOTP) tokens, which undermines the intended one-time use security mechanism of TOTP. The vulnerability does not impact availability or integrity but has a high impact on confidentiality, as unauthorized access to Vault could expose sensitive secrets and credentials stored within. The CVSS vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L). The vulnerability has been fixed in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. No known exploits are currently reported in the wild. The vulnerability's root cause is the insufficient enforcement of rate limiting on MFA login attempts and improper handling of TOTP token reuse, which could allow attackers to brute force or replay authentication tokens, potentially gaining unauthorized access to Vault secrets.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data managed by HashiCorp Vault, a widely used secrets management and identity-based security tool. Vault is often employed to store credentials, API keys, certificates, and other critical secrets that protect infrastructure and applications. Exploitation could lead to unauthorized disclosure of these secrets, enabling further lateral movement, privilege escalation, or data breaches. Given the regulatory environment in Europe, including GDPR, unauthorized access to sensitive information could result in legal penalties and reputational damage. Organizations relying on Vault for securing cloud-native applications, DevOps pipelines, or critical infrastructure are particularly at risk. The vulnerability's ability to bypass MFA rate limits and reuse TOTP tokens weakens a key security control, potentially allowing attackers to circumvent multi-factor authentication protections that are essential for compliance and security best practices.

European organizations should urgently upgrade affected Vault instances to the patched versions: Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, or 1.16.23. Until upgrades can be applied, organizations should implement additional compensating controls such as: 1) Enforce network-level restrictions to limit access to Vault login endpoints only to trusted IP addresses or VPNs. 2) Monitor authentication logs for unusual patterns of repeated MFA attempts or TOTP token reuse and trigger alerts for investigation. 3) Temporarily increase the strictness of rate limiting at the network or application firewall level to mitigate brute force attempts. 4) Review and tighten Vault access policies to minimize the number of users with login privileges requiring MFA. 5) Educate users on the importance of MFA token security and discourage token sharing or reuse. 6) Consider integrating additional anomaly detection tools that can detect suspicious authentication behaviors. These measures, combined with prompt patching, will reduce the risk of exploitation.