CVE-2025-6015: 
HashiCorp Vault vulnerability analysis and mitigation

CVE-2025-6015 affects HashiCorp Vault and Vault Enterprise's login Multi-Factor Authentication (MFA) system. The vulnerability was discovered and reported by Yarden Porat of Cyata Security and publicly disclosed on August 1, 2025. The issue affects Vault Community Edition versions from 1.10.0 up to 1.20.0 and Vault Enterprise versions from 1.10.0 up to 1.20.0, 1.19.6, 1.18.11, and 1.16.22 (HashiCorp Advisory).

The vulnerability stems from improper normalization of TOTP (Time-based One-Time Password) codes prior to enforcing the once-per-validity-window check in Vault's login MFA system. This implementation flaw could allow attackers to resubmit previously used codes during the MFA check. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity (HashiCorp Advisory).

The vulnerability allows potential attackers to bypass MFA rate limits and reuse TOTP tokens, which compromises the security of the multi-factor authentication system. This could lead to unauthorized access to protected resources if exploited successfully (HashiCorp Advisory).

HashiCorp has released patches to address this vulnerability. Users should upgrade to Vault Community Edition 1.20.1 or Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, or 1.16.23. The fix includes strict validation of TOTP code length and implementation of generic error messages for previously used passcodes (HashiCorp Advisory).