CVE-2025-6037
📋 TL;DR
The Vault TLS certificate authentication method fails to properly validate client certificates when configured with non-CA certificates as trusted certificates. This allows attackers to craft malicious certificates that could impersonate legitimate users. Affects HashiCorp Vault and Vault Enterprise deployments using certificate authentication with non-CA trusted certificates.
💻 Affected Systems
- HashiCorp Vault
- HashiCorp Vault Enterprise
📦 What is this software?
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gain unauthorized access to Vault secrets by impersonating legitimate users, potentially compromising sensitive data and credentials.
Likely Case
Privileged attackers with network access could impersonate users to access secrets they shouldn't have permission to view.
If Mitigated
With proper network segmentation and monitoring, impact would be limited to specific authentication attempts that could be detected.
🎯 Exploit Status
Requires ability to craft malicious certificates and network access to Vault's authentication endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vault Community Edition 1.20.1, Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037
Restart Required: No
Instructions:
1. Download the patched version from HashiCorp's releases page. 2. Stop the Vault service. 3. Replace the Vault binary with the patched version. 4. Restart the Vault service. 5. Verify the version with 'vault version'.
🔧 Temporary Workarounds
Use CA certificates for trusted certificates
allConfigure certificate authentication to use only CA certificates as trusted certificates instead of non-CA certificates.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach Vault's authentication endpoints.
- Enable detailed audit logging for all certificate authentication attempts and monitor for suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Check if using certificate auth with non-CA trusted certificates: 'vault auth list' and examine certificate auth method configuration.Check Version:
vault versionVerify Fix Applied:
Run 'vault version' to confirm running patched version and test certificate authentication with proper validation.📡 Detection & Monitoring
Log Indicators:
- Failed certificate authentication attempts with unusual certificates
- Successful authentications from unexpected sources
Network Indicators:
- Unusual authentication requests to Vault's certificate auth endpoint
SIEM Query:
source="vault" AND ("certificate" OR "auth") AND ("failed" OR "success")