CVE-2025-6015
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-01

Last updated on: 2025-08-13

Assigner: HashiCorp Inc.

Description
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-01
Last Modified
2025-08-13
Generated
2026-05-07
AI Q&A
2025-08-01
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6015
EUVD
EUVD-2025-23379
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
hashicorp vault From 1.10.0 (inc) to 1.16.23 (exc)
hashicorp vault From 1.10.0 (inc) to 1.20.1 (exc)
hashicorp vault From 1.17.0 (inc) to 1.18.12 (exc)
hashicorp vault From 1.19.0 (inc) to 1.19.7 (exc)
hashicorp vault 1.20.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Vault and Vault Enterprise allows attackers to bypass login multi-factor authentication (MFA) rate limits and reuse TOTP tokens, potentially compromising the authentication process.


How can this vulnerability impact me? :

An attacker could bypass MFA rate limits and reuse TOTP tokens to gain unauthorized access to Vault, potentially leading to exposure of sensitive information or unauthorized actions within the system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Vault to the fixed versions: Vault Community Edition 1.20.1 or Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, or 1.16.23.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart