CVE-2025-6015

Summary

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Affected Software

VendorProductVersion RangeStatus
HashiCorpVault1.10.0 < 1.20.1affected
HashiCorpVault Enterprise1.10.0 < 1.20.1affected

Weaknesses

  • CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References