{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-6015","assignerOrgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","state":"PUBLISHED","assignerShortName":"HashiCorp","dateReserved":"2025-06-11T19:05:27.750Z","datePublished":"2025-08-01T18:03:53.214Z","dateUpdated":"2025-08-01T18:35:17.893Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"],"product":"Vault","repo":"https://github.com/hashicorp/vault","vendor":"HashiCorp","versions":[{"lessThan":"1.20.1","status":"affected","version":"1.10.0","versionType":"semver"}]},{"defaultStatus":"unaffected","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"],"product":"Vault Enterprise","repo":"https://github.com/hashicorp/vault","vendor":"HashiCorp","versions":[{"changes":[{"at":"1.19.7","status":"unaffected"},{"at":"1.18.12","status":"unaffected"},{"at":"1.16.23","status":"unaffected"}],"lessThan":"1.20.1","status":"affected","version":"1.10.0","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.</p><br/>"}],"value":"Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23."}],"impacts":[{"capecId":"CAPEC-114","descriptions":[{"lang":"en","value":"CAPEC-114: Authentication Abuse"}]}],"metrics":[{"cvssV3_1":{"baseScore":5.7,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-307","description":"CWE-307: Improper Restriction of Excessive Authentication Attempts","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","shortName":"HashiCorp","dateUpdated":"2025-08-01T18:03:53.214Z"},"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038"}],"source":{"advisory":"HCSEC-2025-19","discovery":"EXTERNAL"},"title":"Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse"},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-08-01T18:35:07.893075Z","id":"CVE-2025-6015","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-08-01T18:35:17.893Z"}}]}}