Login Sign Up

CVE-2025-6014

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

The Vault TOTP secrets engine code validation endpoint allows time-based one-time password codes to be reused within their validity period. This affects HashiCorp Vault Community Edition and Vault Enterprise users with TOTP secrets engine enabled. Attackers could potentially bypass TOTP-based multi-factor authentication.

💻 Affected Systems

Products:
  • HashiCorp Vault Community Edition
  • HashiCorp Vault Enterprise
Versions: All versions before Vault Community Edition 1.20.1, Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with TOTP secrets engine enabled and in use.

📦 What is this software?

Vault by Hashicorp

View all CVEs affecting Vault →

Vault by Hashicorp

View all CVEs affecting Vault →

Vault by Hashicorp

View all CVEs affecting Vault →

Vault by Hashicorp

View all CVEs affecting Vault →

Vault by Hashicorp

View all CVEs affecting Vault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of TOTP-based MFA, allowing unauthorized access to protected resources and secrets.

🟠

Likely Case

Limited authentication bypass for specific accounts where attackers can intercept or predict TOTP codes.

🟢

If Mitigated

Minimal impact if proper network segmentation, access controls, and monitoring are in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to intercept or obtain valid TOTP codes within their validity window.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vault Community Edition 1.20.1, Vault Enterprise 1.20.1, 1.19.7, 1.18.12, or 1.16.23

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036

Restart Required: No

Instructions:

1. Backup Vault configuration and data. 2. Download appropriate patched version from HashiCorp. 3. Stop Vault service. 4. Replace binary with patched version. 5. Start Vault service. 6. Verify version and functionality.

🔧 Temporary Workarounds

Disable TOTP Secrets Engine

all

Temporarily disable TOTP secrets engine if not required

vault secrets disable totp/

Reduce TOTP Validity Period

all

Configure shorter TOTP code validity periods to reduce attack window

vault write totp/config period=30

🧯 If You Can't Patch

  • Implement additional authentication factors beyond TOTP
  • Monitor authentication logs for suspicious TOTP code reuse patterns

🔍 How to Verify

Check if Vulnerable:

Check Vault version with 'vault version' and verify TOTP secrets engine is enabled

Check Version:

vault version

Verify Fix Applied:

Verify version is patched and test TOTP code validation rejects reused codes

📡 Detection & Monitoring

Log Indicators:

  • Multiple authentication attempts with same TOTP code
  • TOTP validation failures followed by successes

Network Indicators:

  • Unusual authentication patterns to TOTP endpoints

SIEM Query:

source="vault" AND "totp" AND ("validation" OR "authentication") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2025-6014
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-156
EPSS Score: 0.02% exploit probability (4.7th percentile)
Published: August 1, 2025
Last Updated: August 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6014, you might also want to check these:

CVE-2025-55000 6.5

OpenBao's TOTP secrets engine in versions 0.1.0 through 2.3.1 allows TOTP codes to be reused multipl...

Same vulnerability type (CWE-156)
CVE-2025-55001 6.5

OpenBao versions 2.3.1 and below contain an LDAP authentication bypass vulnerability when using user...

Same vulnerability type (CWE-156)
CVE-2025-55127 5.4

This vulnerability allows attackers to create usernames with leading or trailing whitespace that app...

Same vulnerability type (CWE-156)