CVE-2025-6015
📋 TL;DR
This vulnerability allows attackers to bypass multi-factor authentication (MFA) rate limiting and reuse TOTP tokens in HashiCorp Vault, potentially enabling unauthorized access. It affects Vault Community Edition and Vault Enterprise users with MFA enabled. The issue could allow attackers to brute-force MFA codes or reuse valid tokens.
💻 Affected Systems
- HashiCorp Vault Community Edition
- HashiCorp Vault Enterprise
📦 What is this software?
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized administrative access to Vault, potentially compromising all stored secrets, certificates, and encryption keys.
Likely Case
Attackers bypass MFA protections to gain unauthorized access to Vault with standard user privileges, accessing sensitive secrets.
If Mitigated
With proper network segmentation and additional authentication layers, impact is limited to the Vault instance itself.
🎯 Exploit Status
Exploitation requires knowledge of valid usernames and the ability to interact with the Vault authentication endpoint. Attackers need to bypass rate limiting mechanisms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vault Community Edition 1.20.1, Vault Enterprise 1.20.1, 1.19.7, 1.18.12, or 1.16.23
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038
Restart Required: No
Instructions:
1. Download the patched version from HashiCorp releases. 2. Stop Vault service. 3. Replace binary with patched version. 4. Start Vault service. 5. Verify version and functionality.
🔧 Temporary Workarounds
Disable MFA temporarily
allTemporarily disable MFA authentication methods until patching can be completed
vault auth disable <mfa_method_name>
Implement network restrictions
allRestrict access to Vault authentication endpoints to trusted IP addresses only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach Vault authentication endpoints
- Enable additional authentication layers (like client certificates) alongside MFA
🔍 How to Verify
Check if Vulnerable:
Check if MFA is enabled and version is below patched versions: 'vault version' and review auth methodsCheck Version:
vault versionVerify Fix Applied:
Verify version is 1.20.1 or later (Community) or patched Enterprise version, then test MFA login attempts with rate limiting📡 Detection & Monitoring
Log Indicators:
- Multiple failed MFA attempts from same source
- Successful logins with reused TOTP tokens
- Unusual authentication patterns bypassing rate limits
Network Indicators:
- High volume of authentication requests to Vault endpoints
- Authentication traffic from unexpected sources
SIEM Query:
source="vault" AND ("authentication failure" OR "MFA" OR "TOTP") | stats count by src_ip, user