HashiCorp Vault Vulnerability Allow Attackers to Authenticate to Vault Without Valid Credentials

HashiCorp Vault Vulnerability Allow Attackers to Authenticate to Vault Without Valid Credentials

Posted on By CWS

A crucial safety flaw has been found in HashiCorp’s Vault Terraform Supplier that would enable attackers to bypass authentication and entry Vault with out legitimate credentials.

The vulnerability, tracked as CVE-2025-13357, impacts organizations utilizing LDAP authentication with Vault. The safety situation stems from an incorrect default configuration in Vault’s Terraform Supplier.

Particularly, the supplier set the deny_null_bind parameter to false by default for the LDAP authentication technique.

HashiCorp Vault Vulnerability

This misconfiguration created a harmful safety hole as a result of the underlying LDAP server permitted unauthenticated connections.

When exploited, this vulnerability permits menace actors to authenticate to Vault with out offering legit credentials.

This authentication bypass poses vital dangers to organizations storing delicate secrets and techniques, encryption keys, and different crucial knowledge in Vault.

CVE IDAffected ProductsAffected VersionsImpactCVE-2025-13357Vault Terraform Providerv4.2.0 to v5.4.0Authentication Bypass

HashiCorp has launched fixes addressing this vulnerability. Organizations ought to take the next actions:

Replace to Vault Terraform Supplier v5.5.0, which accurately units the deny_null_bind parameter to true by default.

Moreover, improve to Vault Neighborhood Version 1.21.1 or Vault Enterprise variations 1.21.1, 1.20.6, 1.19.12, or 1.16.28.

Make sure the deny_null_bind parameter is explicitly set to true in LDAP auth technique configurations.

Organizations utilizing older supplier variations ought to explicitly set the parameter of their Terraform recordsdata and apply the modifications instantly.

The patched Vault variations not settle for empty password strings, successfully stopping unauthenticated LDAP connections through the authentication technique.

HashiCorp has introduced that this outdated parameter shall be eliminated in future releases. This vulnerability was recognized by a third-party researcher who responsibly disclosed it to HashiCorp.

Organizations utilizing Vault with LDAP authentication ought to prioritize making use of these safety updates to guard their infrastructure from potential exploitation.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , ,

Related Posts

Apache Tomcat Vulnerabilities Let Attackers Bypass Authentication & Trigger DoS Attacks Apache Tomcat Vulnerabilities Let Attackers Bypass Authentication & Trigger DoS Attacks Cyber Security News
VMware Tools and Aria Operations Vulnerabilities Let Attackers Escalate Privileges to Root VMware Tools and Aria Operations Vulnerabilities Let Attackers Escalate Privileges to Root Cyber Security News
Chinese Hackers Exploit SAP RCE Vulnerability to Upload Supershell Backdoors Chinese Hackers Exploit SAP RCE Vulnerability to Upload Supershell Backdoors Cyber Security News
New EtherHiding Attack Uses Web-Based Attacks to Deliver Malware and Rotate Payloads New EtherHiding Attack Uses Web-Based Attacks to Deliver Malware and Rotate Payloads Cyber Security News
5 Immediate Steps to be Followed After Clicking on a Malicious Link 5 Immediate Steps to be Followed After Clicking on a Malicious Link Cyber Security News
Hundreds of WordPress Websites Hacked By VexTrio Viper Group to Run Massive TDS Services Hundreds of WordPress Websites Hacked By VexTrio Viper Group to Run Massive TDS Services Cyber Security News