High-Severity Vault Flaw (CVE-2025-13357) Allows Unauthenticated Access via LDAP Null Bind Insecure Default
Ddos 
HashiCorp has released an important security advisory addressing a misconfiguration flaw in the Vault Terraform Provider that could allow attackers to authenticate to Vault without valid credentials when certain LDAP servers permit anonymous binds. The vulnerability, assigned CVE-2025-13357 and rated CVSS 7.4, stems from a dangerous default value introduced across multiple provider versions.
According to the advisory,Β βVaultβs Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass.β
The flaw affects Vault Terraform Provider versions v4.2.0 through v5.4.0. In these releases, the deny_null_bind parameterβwhich controls whether Vault will reject LDAP authentication attempts with empty passwordsβunexpectedly defaulted to false.
HashiCorp explains: βIf the parameter was not specified in the Terraform file, the value of deny_null_bind defaulted to false.β
This behavior could allow:
- Anonymous LDAP binds
- Authentication without a password
- Unauthorized access to Vault when paired with permissive LDAP server configurations
In environments where LDAP servers allow anonymous or βnullβ binds, Vaultβs LDAP auth method could silently accept unauthenticated logins β essentially bypassing the security boundary entirely.
HashiCorp has corrected the default in the newly released Vault Terraform Provider v5.5.0.
Related Posts:
- With null characters, Malicious code bypassed security checking in Windows 10
- Azure Key Vault Vulnerability: Exploiting Role Misconfigurations for Privilege Escalation
- Veritas Enterprise Vault Vulnerability Could Allow Remote Code Execution
- AWS Under Siege: Attackers Target Vaults, Buckets, and Secrets in Widespread Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
