HCSEC-2025-22
**Bulletin ID:** **HCSEC-2025-22** **Affected Products / Versions:** HashiCorp recently published eight security bulletins for issues impacting Vault and Vault Enterprise, all of which have been addressed in the latest Vault versions: 1.20.2, 1.19.8, 1.18.13, and 1.16.24. **Publication Date:** August 6, 2025 **Summary** HashiCorp recently published eight security bulletins for issues impacting Vault Community Edition and Vault Enterprise, all of which have been addressed in the latest Vault versions: 1.20.2, 1.19.8, 1.18.13, and 1.16.24. **Background** Earlier this year, a security researcher reported multiple vulnerabilities impacting Vault and Vault Enterprise. These vulnerabilities range in severity and exploitability, but generally focus on core authentication flows. The vulnerabilities are: * [HCSEC-2025-20 - Vault LDAP MFA Enforcement Bypass When Using Username As Alias](https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092) * [HCSEC-2025-19 - Vault Login MFA Bypass of Rate Limiting and TOTP Token Reuse](https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038) * [HCSEC-2025-18 - Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates](https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037) * [HCSEC-2025-17 - Vault TOTP Secrets Engine Code Reuse](https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036) * [HCSEC-2025-16 - Vault Userpass and LDAP User Lockout Bypass](https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035) * [HCSEC-2025-15 - Timing Side-Channel in Vault’s Userpass Auth Method](https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034) * [HCSEC-2025-14 - Privileged Vault Operator May Execute Code on the Underlying Host](https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033) * [HCSEC-2025-13 - Vault Root Namespace Operator May Elevate Token Privileges](https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032) In addition, HashiCorp has published a bulletin for a vulnerability that has been disclosed but is not yet remediated. While we believe this issue presents a low-risk, this bulletin includes details and guidance for operators who wish to mitigate the vulnerability until a fix is available: * [HCSEC-2025-21 - Vault User Enumeration in Userpass Auth Method](https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095) The vulnerabilities only affect Vault when running as a server, they do not affect Vault’s SDK, Vault running as a [client](https://developer.hashicorp.com/vault/docs/commands) (CLI), or Vault running in [agent or proxy](https://developer.hashicorp.com/vault/docs/agent-and-proxy) modes. **Remediation** Customers should evaluate the risk associated with each issue and consider upgrading to Vault Community Edition 1.20.2 or Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24. Please refer to [Upgrading Vault](https://developer.hashicorp.com/vault/docs/upgrading) for general guidance. **Acknowledgement** HashiCorp thanks Yarden Porat and the Cyata Security team for disclosing these issues, as well as their collaboration on the remediation and disclosure of these issues. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*
Timeline
- Aug 6, 2025 CVE Published