CVE-2025-11621
Published: 23 October 2025
Description
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.
Security Summary
CVE-2025-11621 is an authentication bypass vulnerability in the AWS Auth method of HashiCorp Vault and Vault Enterprise. It occurs when the configured bound_principal_iam role is the same across multiple AWS accounts or uses a wildcard, allowing improper validation. The issue stems from mishandling of cache entries and is classified under CWE-288 with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging an AWS role that matches the bound_principal_iam configuration from a different AWS account or exploiting wildcard usage, the attacker can bypass authentication to Vault, potentially gaining unauthorized access to sensitive secrets and configurations, resulting in high impacts to confidentiality and integrity.
HashiCorp has addressed CVE-2025-11621 in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27. Security practitioners should upgrade to these patched versions immediately. Additional details are available in the HashiCorp security advisory at https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables authentication bypass in HashiCorp Vault's AWS auth method, facilitating exploitation of remote service (T1210), privilege escalation from low privileges (T1068), and credential access from cloud secrets management store (T1555.006).