CVE-2025-11621 – This vulnerability allows authentication bypass... (How to Fix)

Q: What is the severity of CVE-2025-11621?

CVE-2025-11621 has a CVSS score of 8.1 (HIGH). This vulnerability allows authentication bypass in HashiCorp Vault's AWS Auth method when the bound_principal_iam role is identical across AWS accounts or uses wildcards. Attackers could gain unauthorized access to Vault secrets. Organizations using Vault with AWS Auth method are affected.

📋 TL;DR

This vulnerability allows authentication bypass in HashiCorp Vault's AWS Auth method when the bound_principal_iam role is identical across AWS accounts or uses wildcards. Attackers could gain unauthorized access to Vault secrets. Organizations using Vault with AWS Auth method are affected.

💻 Affected Systems

Products:

HashiCorp Vault Community Edition
HashiCorp Vault Enterprise

Versions: All versions before Vault Community Edition 1.21.0, Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27

Operating Systems: All supported platforms

Default Config Vulnerable: ✅ No

Notes: Only affects systems using AWS Auth method with bound_principal_iam configuration where roles are identical across AWS accounts or use wildcards.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Vault secrets, allowing attackers to access sensitive credentials, certificates, and encryption keys stored in Vault.

🟠

Likely Case

Unauthorized access to specific secrets based on the compromised role's permissions, potentially leading to lateral movement in cloud environments.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place to detect anomalous access patterns.

🌐 Internet-Facing: MEDIUM - While Vault typically isn't directly internet-facing, compromised AWS credentials could be used from external systems.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems could exploit this to bypass authentication controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires AWS credentials and knowledge of Vault configuration. Exploitation depends on specific misconfigurations in bound_principal_iam settings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vault Community Edition 1.21.0, Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709

Restart Required: Yes

Instructions:

1. Backup Vault configuration and data. 2. Download patched version from HashiCorp releases. 3. Stop Vault service. 4. Replace binary with patched version. 5. Restart Vault service. 6. Verify service is running correctly.

🔧 Temporary Workarounds

Remove duplicate bound_principal_iam roles

all

Ensure each bound_principal_iam role is unique across AWS accounts and avoid wildcards in role configurations.

vault write auth/aws/role/<role_name> bound_principal_iam=<unique_arn>

Disable AWS Auth method if unused

all

Temporarily disable AWS Auth method if not required for operations.

vault auth disable aws

🧯 If You Can't Patch

Review and modify AWS Auth role configurations to ensure bound_principal_iam values are unique across accounts
Implement additional authentication factors or network controls for Vault access

🔍 How to Verify

Check if Vulnerable:

Check AWS Auth method configuration: vault read auth/aws/role/<role_name> and verify bound_principal_iam values are not duplicated across accounts or using wildcards.

Check Version:

vault version

Verify Fix Applied:

Verify Vault version is patched: vault version, then test AWS authentication with previously vulnerable configurations.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns from AWS principals
Multiple authentication attempts from different AWS accounts to same role
Authentication failures followed by successes from same source

Network Indicators:

Unexpected Vault API calls from AWS metadata service IP ranges
Authentication requests from unusual geographic locations

SIEM Query:

source="vault" ("auth" AND "aws" AND "success") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2025-11621

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-288

EPSS Score: 0.15% exploit probability (35th percentile)

Published: October 23, 2025

Last Updated: December 29, 2025

🔗 References

https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11621, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Vault by Hashicorp

Vault by Hashicorp

Vault by Hashicorp

Vault by Hashicorp

Vault by Hashicorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove duplicate bound_principal_iam roles

Disable AWS Auth method if unused

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities