VDB

HCSEC-2025-18

HCSEC-2025-18 PUBLISHED

**Bulletin ID:** HCSEC-2025-18 **Affected Products / Versions:** Vault Community Edition up to 1.20.0, fixed in 1.20.1. Vault Enterprise from up to 1.20.0, 1.19.6, 1.18.11, 1.16.22, 1.15.15, fixed in 1.20.1, 1.19.7, 1.18.12, and 1.16.23. **Publication Date:** August 1, 2025 **Summary** Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [trusted certificate](https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate). In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. This vulnerability, identified as CVE-2025-6037, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. **Background** Vault offers a wide range of [auth methods](https://developer.hashicorp.com/vault/api-docs/auth) for authentication, including [TLS client certificates](https://developer.hashicorp.com/vault/api-docs/auth/cert). Vault’s TLS auth method supports trusted certificates signed by certificate authorities as well as non-CA signed certificates. **Details** A malicious user in possession of a trusted non-CA certificate and its corresponding private key can generate a new certificate with an arbitrary CN — including one that belongs to another trusted user, inheriting the entity_id of the impersonated user, policies and group memberships attached to that entity. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Please refer to [Upgrading Vault](https://developer.hashicorp.com/vault/docs/upgrading) for general guidance. **Acknowledgement** This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • Aug 1, 2025 CVE Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›