High-Severity Vault Flaw (CVE-2025-13357) Allows Unauthenticated Access via LDAP Null Bind Insecure Default

HashiCorp has released an important security advisory addressing a misconfiguration flaw in the Vault Terraform Provider that could allow attackers to authenticate to Vault without valid credentials when certain LDAP servers permit anonymous binds. The vulnerability, assigned CVE-2025-13357 and rated CVSS 7.4, stems from a dangerous default value introduced across multiple provider versions.

According to the advisory, “Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass.”

The flaw affects Vault Terraform Provider versions v4.2.0 through v5.4.0. In these releases, the deny_null_bind parameter—which controls whether Vault will reject LDAP authentication attempts with empty passwords—unexpectedly defaulted to false.

HashiCorp explains: “If the parameter was not specified in the Terraform file, the value of deny_null_bind defaulted to false.”

This behavior could allow:

• Anonymous LDAP binds
• Authentication without a password
• Unauthorized access to Vault when paired with permissive LDAP server configurations

In environments where LDAP servers allow anonymous or “null” binds, Vault’s LDAP auth method could silently accept unauthenticated logins — essentially bypassing the security boundary entirely.

HashiCorp has corrected the default in the newly released Vault Terraform Provider v5.5.0.

Related Posts:

• With null characters, Malicious code bypassed security checking in Windows 10
• Azure Key Vault Vulnerability: Exploiting Role Misconfigurations for Privilege Escalation
• Veritas Enterprise Vault Vulnerability Could Allow Remote Code Execution
• AWS Under Siege: Attackers Target Vaults, Buckets, and Secrets in Widespread Campaign