CVE-2025-55003 OpenBao Login MFA Bypasses Rate Limiting and TOTP Token Reuse

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication MFA system allows enforcing MFA using Time-based One Time Password TOTP. Due to...

CVE-2025-55001 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. Whe...

CVE-2025-55001 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. Whe...

OpenBao 安全漏洞

OpenBao is OpenBao open source a sensitive data management software . A security vulnerability exists in OpenBao 2.3.1 and earlier versions, which can be exploited by attackers to cause MFA requirements to be bypassed...

OpenBao 安全漏洞

OpenBao is OpenBao open source a sensitive data management software . A security vulnerability exists in OpenBao 2.3.1 and earlier versions that can be exploited by an attacker to cause bypassing of internal rate limiting and reuse of existing MFA code...

OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias

Impact OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the usernameasalias=true parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to...

GHSA-2Q8Q-8FGW-9P6P OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias

Impact OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the usernameasalias=true parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to...

GHSA-RXP7-9Q75-VJ3P OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse

Impact OpenBao's Login Multi-Factor Authentication MFA system allows enforcing MFA using Time-based One Time Password TOTP. Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the M...

SonicWall Confirms Patched Vulnerability Behind Recent VPN Attacks, Not a Zero-Day

SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse. "We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability," the compan...

Chinese Groups Stole 115 Million US Cards in 16-Month Smishing Campaign

A SecAlliance report reveals Chinese smishing syndicates compromised 115M US payment cards by bypassing MFA to exploit Apple Pay and Google Wallet...

CVE-2025-6013

A flaw was found in github.com/hashicorp/vault. The LDAP authentication method fails to properly enforce multi-factor authentication when usernameasalias is enabled and a user possesses multiple Common Names CNs containing differing leading or trailing spaces. A remote attacker authenticated as a...

Improper Neutralization

Overview github.com/hashicorp/vault/builtin/credential/ldap is a package ldap for Hashicorp. Affected versions of this package are vulnerable to Improper Neutralization in the ldap authentication method when usernameasalias is enabled and a user has multiple CNs that are equal except for leading ...

GHSA-7RX2-769V-HRWF HashiCorp Vault ldap auth method may not have correctly enforced MFA

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

CVE-2025-6013

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

CVE-2025-6013 Vault LDAP MFA Enforcement Bypass When Using Username As Alias

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

CVE-2025-6013

CVE-2025-6013 concerns Vault and Vault Enterprise’s LDAP authentication. The issue is a bypass of MFA enforcement when the LDAP method is configured with username_as_alias=true and a user has multiple equal CNs that include leading or trailing spaces, allowing a user to bypass alias-specific MFA ...

HashiCorp Vault和HashiCorp Vault Enterprise 安全漏洞

HashiCorp Vault and HashiCorp Vault Enterprise are both products of HashiCorp, Inc. of the U.S.A. HashiCorp Vault is a private key access management tool.HashiCorp Vault Enterprise is an enterprise information archiving platform. A security vulnerability exists in HashiCorp Vault and HashiCorp...

PT-2025-32152

Name of the Vulnerable Software and Affected Versions Vault versions prior to 1.20.2 Vault Enterprise versions prior to 1.20.2 Vault Enterprise version 1.19.8 Vault Enterprise version 1.18.13 Vault Enterprise version 1.16.24 Description The LDAP authentication method in Vault and Vault Enterprise...

Improper Restriction of Excessive Authentication Attempts

Overview github.com/hashicorp/vault/vault is a tool for securely accessing secrets. Affected versions of this package are vulnerable to Improper Restriction of Excessive Authentication Attempts via validateTOTP when enforcing the once-per-validity-window check. An attacker could gain unauthorized...

CVE-2025-6015

Vault and Vault Enterprise’s “Vault” login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...