CVE-2025-6037: 
HashiCorp Vault vulnerability analysis and mitigation

Vault and Vault Enterprise ('Vault') TLS certificate authentication method contained a critical security flaw (CVE-2025-6037) that failed to properly validate client certificates when configured with a non-CA certificate as trusted certificate. The vulnerability was discovered in August 2025 and affects Vault Community Edition up to 1.20.0 and Vault Enterprise up to versions 1.20.0, 1.19.6, 1.18.11, and 1.16.22. The issue has been fixed in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23 (HashiCorp Discussion).

The vulnerability is classified as an Improper Certificate Validation (CWE-295) issue. The flaw allows malicious users in possession of a trusted non-CA certificate and its corresponding private key to generate new certificates with arbitrary Common Names (CN), including those belonging to other trusted users. This enables attackers to inherit the entity_id, policies, and group memberships of the impersonated user. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H (HashiCorp Discussion).

The vulnerability enables attackers to impersonate other users by crafting malicious certificates, potentially leading to unauthorized access to sensitive resources and privilege escalation within the Vault environment. When combined with other vulnerabilities, it can be part of a larger attack chain that could potentially lead to complete vault takeover (Hacker News).

Organizations are strongly advised to upgrade to the patched versions: Vault Community Edition 1.20.1 or Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, or 1.16.23. The vulnerability was identified by Yarden Porat of Cyata Security and reported to HashiCorp through their security reporting program (HashiCorp Discussion).

The security community has shown significant concern about this vulnerability, particularly when combined with other HashiCorp Vault flaws. Security researchers have demonstrated how this vulnerability can be part of a larger attack chain that could potentially lead to complete vault takeover, highlighting the serious nature of the security issue (Hacker News).