MediumPublic exploit

HashiCorp Vault userpass TOTP MFA brute-force and one-time-use bypass

IdentifiersCVE-2025-6016CWE-307

CVE-2025-6016 affects HashiCorp Vault and encompasses multiple weaknesses in the userpass TOTP MFA flow. According to the provided context, the issue includes used-passcode enumeration through distinguishable error messages, a one-time-use bypass via space padding caused by discrepancies between validation and caching behavior, and rate-limiting evasion through time skew or entity switching. These flaws allow an attacker to undermine protections intended to prevent repeated MFA guessing and reuse of TOTP codes.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can weaken or bypass TOTP MFA protections in Vault’s userpass authentication flow. The described issues enable attackers to enumerate whether a passcode has already been used, evade one-time-use enforcement for TOTP values, and bypass or reduce the effectiveness of rate limiting, thereby increasing the feasibility of brute-forcing MFA codes within their validity window. Depending on the target environment and chained conditions, this can facilitate unauthorized authentication and subsequent access to protected Vault resources.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, monitor for anomalous MFA activity, including repeated TOTP failures, suspicious timing patterns, and attempts involving entity switching or malformed/passcode-padded inputs. Review authentication logs for signs of brute-force behavior and enforce additional compensating controls around Vault access where possible. The available context does not provide more specific vendor mitigation guidance.

Remediation

Patch, then assume compromise.

Upgrade HashiCorp Vault to a vendor-patched version that addresses CVE-2025-6016. The provided context states that the vulnerabilities were patched in coordination with HashiCorp. Organizations should also review MFA-related configurations and authentication workflows to ensure patched behavior is deployed consistently across affected instances.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GitLabGitlabapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

gbhackersNews

Aug 7, 2025

HashiCorp Vault 0-Day Flaws Enable Remote Code Execution Attacks

A set of Vault userpass TOTP MFA weaknesses enabling passcode enumeration, one-time-use bypass, and rate-limit evasion, facilitating brute-force of MFA codes within validity windows.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-6016

NVD

nvd.nist.gov/vuln/detail/CVE-2025-6016

MITRE CWE · CWE-307

cwe.mitre.org

Vendor Advisory

about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released

Permissions Required

hackerone.com/reports/3160363