CVE-2025-11621

High

Published: 23 October 2025

Published

23 October 2025

Modified

29 December 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0013 32.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11621 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Hashicorp Vault. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the authentication bypass vulnerability by applying HashiCorp's patches to Vault versions 1.21.0 and later.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings for Vault's AWS auth method by prohibiting wildcard bound_principal_iam and requiring unique roles per AWS account, eliminating the exploitable condition.

AC-6 Least Privilege good match

prevent

Implements least privilege through distinct IAM roles bound to specific AWS accounts, preventing cross-account authentication bypass exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1555.006 Cloud Secrets Management Stores Credential Access

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.

attack.mitre.org →

Why these techniques?

CVE enables authentication bypass in HashiCorp Vault's AWS auth method, facilitating exploitation of remote service (T1210), privilege escalation from low privileges (T1068), and credential access from cloud secrets management store (T1555.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition…

1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27

Deeper analysisAI

CVE-2025-11621 is an authentication bypass vulnerability in the AWS Auth method of HashiCorp Vault and Vault Enterprise. It occurs when the configured bound_principal_iam role is the same across multiple AWS accounts or uses a wildcard, allowing improper validation. The issue stems from mishandling of cache entries and is classified under CWE-288 with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging an AWS role that matches the bound_principal_iam configuration from a different AWS account or exploiting wildcard usage, the attacker can bypass authentication to Vault, potentially gaining unauthorized access to sensitive secrets and configurations, resulting in high impacts to confidentiality and integrity.

HashiCorp has addressed CVE-2025-11621 in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27. Security practitioners should upgrade to these patched versions immediately. Additional details are available in the HashiCorp security advisory at https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709.

Details

CWE(s): CWE-288

Affected Products

hashicorp

vault

0.6.0 — 1.16.27 · 0.6.0 — 1.21.0 · 1.18.0 — 1.18.15

CVEs Like This One

CVE-2026-3605Same product: Hashicorp Vault

CVE-2025-6000Same product: Hashicorp Vault

CVE-2026-5807Same product: Hashicorp Vault

CVE-2026-5052Same product: Hashicorp Vault

CVE-2026-4525Same product: Hashicorp Vault

CVE-2025-0937Same vendor: Hashicorp

CVE-2025-68707Shared CWE-288

CVE-2025-0377Same vendor: Hashicorp

CVE-2025-1293Same vendor: Hashicorp

CVE-2025-22230Shared CWE-288

References

https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709
Vendor Advisory · security@hashicorp.com