PT-2025-31680 · Hashicorp+1 · Vault Enterprise+2

Yarden Porat

Published

2025-08-01

Updated

2025-09-05

CVE-2025-6015

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Vault versions prior to 1.20.1 Vault Enterprise versions prior to 1.20.1, 1.19.7, 1.18.12, and 1.16.23

Description Vault and Vault Enterprise’s login MFA rate limits could be bypassed, and TOTP tokens could be reused.

Recommendations Update Vault to version 1.20.1 or later. Update Vault Enterprise to version 1.20.1, 1.19.7, 1.18.12, or 1.16.23 or later.

Fix

Improper Authentication

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-307

Related Identifiers

BDU:2025-11260

BIT-VAULT-2025-6015

CVE-2025-6015

GHSA-RXP7-9Q75-VJ3P

GHSA-V6R4-35F9-9RPW

GO-2025-3842

GO-2025-3856

OPENSUSE-SU-2025:15434-1

OPENSUSE-SU-2025:15460-1

SUSE-SU-2025:02912-1

Affected Products

Red Os

Vault

Vault Enterprise

PT-2025-31680 · Hashicorp+1 · Vault Enterprise+2

CVE-2025-6015

Weakness Enumeration

Related Identifiers

Affected Products

References · 54