The vulnerability, tracked as CVE-2025-13357, affects organizations using LDAP authentication with Vault. The security issue stems from an incorrect default configuration in Vault’s Terraform Provider.
Specifically, the provider set the deny_null_bind parameter to false by default for the LDAP authentication method.
This misconfiguration created a dangerous security gap because the underlying LDAP server permitted unauthenticated connections.
When exploited, this vulnerability allows threat actors to authenticate to Vault without providing legitimate credentials.
This authentication bypass poses significant risks to organizations storing sensitive secrets, encryption keys, and other critical data in Vault.
| CVE ID | Affected Products | Affected Versions | Impact |
|---|---|---|---|
| CVE-2025-13357 | Vault Terraform Provider | v4.2.0 to v5.4.0 | Authentication Bypass |
HashiCorp has released fixes addressing this vulnerability. Organizations should take the following actions:
Update to Vault Terraform Provider v5.5.0, which correctly sets the deny_null_bind parameter to true by default.
Additionally, upgrade to Vault Community Edition 1.21.1 or Vault Enterprise versions 1.21.1, 1.20.6, 1.19.12, or 1.16.28.
Ensure the deny_null_bind parameter is explicitly set to true in LDAP auth method configurations.
Organizations using older provider versions should explicitly set the parameter in their Terraform files and apply the changes immediately.
The patched Vault versions no longer accept empty password strings, effectively preventing unauthenticated LDAP connections via the authentication method.
HashiCorp has announced that this outdated parameter will be removed in future releases. This vulnerability was identified by a third-party researcher who responsibly disclosed it to HashiCorp.
Organizations using Vault with LDAP authentication should prioritize applying these security updates to protect their infrastructure from potential exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post HashiCorp Vault Vulnerability Allow Attackers to Authenticate to Vault Without Valid Credentials appeared first on Cyber Security News.
Hi, Swifties. We don’t tend to have a lot in the way of Taylor Swift…
Cybersecurity giant Trellix has disclosed a significant security incident involving unauthorized access to a portion…
A sophisticated adversarial campaign targeting South-East Asian government and military infrastructure, combining rapid exploitation of…
Cynthia Whitaker sat alone on a bench at center stage, her face bathed in a…
Brilliant Minds and Stumble have both been canceled at NBC. Entertainment Weekly reported that the…
We noted this last month, but we really mean it in May: Things are starting…
This website uses cookies.