CVE-2025-6004 in Vaultinfo

Summary

by MITRE • 08/01/2025

Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/05/2025

The vulnerability identified as CVE-2025-6004 affects HashiCorp Vault and Vault Enterprise authentication mechanisms, specifically targeting the user lockout functionality designed to prevent unauthorized access through brute force attacks. This security flaw represents a critical weakness in the authentication system's ability to enforce account lockout policies for both Userpass and LDAP authentication methods. The issue stems from improper validation of authentication attempts within the lockout mechanism, allowing attackers to circumvent the intended security controls that should temporarily disable accounts after a predetermined number of failed login attempts.

The technical root cause of this vulnerability lies in the implementation of the authentication lockout logic within Vault's user management system. When users attempt to authenticate through Userpass or LDAP methods, the system should track failed attempts and enforce lockout policies based on configurable thresholds. However, the flaw allows malicious actors to perform repeated authentication attempts without triggering the lockout mechanism, effectively disabling the protection that should prevent automated brute force attacks. This bypass occurs at the authentication validation layer where the system fails to properly increment or track failed attempt counters for locked accounts, enabling continued access attempts.

The operational impact of this vulnerability is significant for organizations relying on Vault for sensitive credential management and access control. Attackers can exploit this weakness to conduct prolonged brute force attacks against user accounts without encountering the expected lockout behavior, potentially leading to successful credential compromise. The vulnerability affects multiple Vault versions and deployment scenarios, making it particularly concerning for enterprises that may have various Vault installations across different environments. Organizations using Vault for protecting secrets, certificates, and other sensitive data face increased risk of unauthorized access, especially when the system is configured with default or weak password policies that make brute force attacks more viable.

Security professionals should immediately implement mitigations including updating to the fixed versions of Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23 as specified in the patch release notes. Organizations should also review their authentication configurations to ensure proper lockout policies are implemented and monitored, while considering additional security controls such as multi-factor authentication, IP address restrictions, and enhanced monitoring of authentication attempts. The vulnerability aligns with CWE-305 authentication bypass weaknesses and could be categorized under ATT&CK technique T1110.003 for credential stuffing and brute force attacks, emphasizing the need for comprehensive security measures beyond the immediate patch deployment.

Responsible

HashiCorp

Reservation

06/11/2025

Disclosure

08/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00394

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!