BIT-vault-2025-6013
Improper Authentication vulnerability in vault (Go)
What is BIT-vault-2025-6013 About?
This vulnerability affects the HashiCorp Vault LDAP authentication method, where multi-factor authentication (MFA) might not have been correctly enforced. This could allow unauthorized access to resources by bypassing the intended MFA security control. Exploitation would involve authenticating via LDAP without the expected MFA challenge.
Affected Software
Technical Details
The HashiCorp Vault LDAP authentication method, in specific versions, suffered from a flaw where the enforcement mechanism for Multi-Factor Authentication (MFA) was not correctly applied during the authentication process. This means that even when MFA was configured for LDAP users, the Vault server might have bypassed the MFA validation step, allowing a user to authenticate successfully using only their primary LDAP credentials. This effectively reduces the security posture to single-factor authentication for affected LDAP users, making it easier for an attacker who obtains those primary credentials to gain unauthorized access to Vault resources.
What is the Impact of BIT-vault-2025-6013?
Successful exploitation may allow attackers to bypass multi-factor authentication, leading to unauthorized access to Vault secrets and resources, potentially compromising sensitive data and system integrity.
What is the Exploitability of BIT-vault-2025-6013?
Exploitation of this vulnerability is likely of low to medium complexity. It requires an attacker to possess valid LDAP credentials for a Vault user. Authentication to the Vault's LDAP auth method is a prerequisite. No special privileges are typically needed beyond standard user credentials that are meant to be protected by MFA. Access would likely be remote, as Vault is often accessed over a network. The primary condition for exploitation is that the MFA enforcement mechanism itself is misconfigured or flawed, allowing a direct authentication path without the second factor. The likelihood of exploitation increases significantly if attackers can obtain LDAP credentials through other means, as the additional security layer of MFA is compromised.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-vault-2025-6013?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.20.2 → Upgrade to 1.20.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GO-2025-3848
- https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092
- https://osv.dev/vulnerability/GHSA-7rx2-769v-hrwf
- https://github.com/hashicorp/vault
- https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092
- https://github.com/advisories/GHSA-7rx2-769v-hrwf
- https://nvd.nist.gov/vuln/detail/CVE-2025-6013
What are Similar Vulnerabilities to BIT-vault-2025-6013?
Similar Vulnerabilities: CVE-2022-41316 , CVE-2021-36224 , CVE-2020-25655 , CVE-2020-25656 , CVE-2020-25657
