CVE-2025-11621 Overview
CVE-2025-11621 is an authentication bypass vulnerability in HashiCorp Vault and Vault Enterprise. The flaw affects the AWS Auth method when the configured bound_iam_principal_arn role is identical across AWS accounts or uses a wildcard. Vault mishandles cache entries under these conditions, allowing an authenticated client in one AWS account to obtain credentials tied to a role in another account. The issue is tracked under HashiCorp Security Advisory HCSEC-2025-30 and is classified as [CWE-288] Authentication Bypass Using an Alternate Path or Channel.
Critical Impact
Attackers with valid AWS IAM credentials can authenticate to Vault as a different principal across AWS accounts, gaining unauthorized access to secrets and policies bound to that role.
Affected Products
- HashiCorp Vault Community Edition prior to 1.21.0
- HashiCorp Vault Enterprise prior to 1.21.0, 1.20.5, 1.19.11
- HashiCorp Vault Enterprise LTS prior to 1.16.27
Discovery Timeline
- 2025-10-23 - CVE-2025-11621 published to NVD
- 2025-12-29 - Last updated in NVD database
Technical Details for CVE-2025-11621
Vulnerability Analysis
Vault's AWS Auth method authenticates clients using signed AWS Security Token Service (STS) GetCallerIdentity requests. Operators bind Vault roles to AWS IAM principals through the bound_iam_principal_arn parameter. This parameter accepts either a specific ARN or a wildcard pattern to match multiple principals.
The vulnerability stems from improper handling of internal cache entries used during principal resolution. When two AWS accounts contain IAM roles with identical names, or when a wildcard binding matches roles across multiple accounts, Vault can return a cached entry that maps to the wrong account. An authenticated AWS principal in account A can then receive a Vault token bound to a role intended only for account B.
Successful exploitation grants the attacker access to any secret engines, policies, and downstream resources accessible through the impersonated role. The integrity and confidentiality of secrets managed by Vault are compromised.
Root Cause
The defect lies in the cache key used during AWS authentication. The cache does not sufficiently disambiguate identical role names across separate AWS account IDs, allowing collision when bound_iam_principal_arn is non-unique across accounts or uses a wildcard.
Attack Vector
The attacker requires valid IAM credentials in an AWS account whose role name matches a role configured in another account's Vault binding, or that falls under a wildcard binding. The attacker submits a signed sts:GetCallerIdentity request to Vault's /auth/aws/login endpoint. Due to the cache mishandling, Vault returns a token associated with the role in the unintended account.
The vulnerability requires network access to the Vault API and low-privilege authentication, but no user interaction. Refer to the HashiCorp Security Advisory HCSEC-2025-30 for vendor details.
Detection Methods for CVE-2025-11621
Indicators of Compromise
- Vault audit log entries showing successful auth/aws/login events where the resolved account ID does not match the expected account ID for the target role.
- Token issuance to AWS principals that should not have access to a given Vault role or policy set.
- Unexpected secret reads or KV access following AWS Auth logins from previously unseen client_arn values.
Detection Strategies
- Enable Vault audit devices and parse auth/aws/login requests, correlating the client_arn, account_id, and role fields to detect cross-account mismatches.
- Compare authenticated AWS account IDs against the account IDs expected by each Vault role's bound_iam_principal_arn configuration.
- Alert on any AWS Auth role configured with a wildcard bound_iam_principal_arn or with overlapping role names across accounts.
Monitoring Recommendations
- Stream Vault audit logs to a centralized SIEM and build detections for AWS Auth anomalies, including new client_arn values and account boundary crossings.
- Monitor downstream secret access patterns after AWS Auth logins to catch lateral movement following a successful bypass.
- Track Vault version inventory and flag clusters running versions prior to the fixed releases.
How to Mitigate CVE-2025-11621
Immediate Actions Required
- Upgrade to Vault Community Edition 1.21.0, or Vault Enterprise 1.21.0, 1.20.5, 1.19.11, or 1.16.27.
- Audit every AWS Auth role for wildcard bound_iam_principal_arn values and replace them with fully qualified ARNs that include the AWS account ID.
- Rotate Vault tokens issued through AWS Auth and invalidate any leases that may have been obtained through cross-account bypass.
Patch Information
HashiCorp resolved the cache handling defect in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27. Full remediation details are published in HashiCorp Security Advisory HCSEC-2025-30.
Workarounds
- Avoid wildcard patterns in bound_iam_principal_arn; bind each Vault role to fully qualified ARNs that include the source AWS account ID.
- Ensure IAM role names referenced by Vault are unique across AWS accounts that share the same Vault cluster.
- Restrict network reachability of Vault's /auth/aws/login endpoint to known administrative and workload networks until patching is complete.
# Example: replace wildcard binding with account-qualified ARN
vault write auth/aws/role/app-prod \
auth_type=iam \
bound_iam_principal_arn="arn:aws:iam::111122223333:role/app-prod" \
policies="app-prod-policy" \
ttl=1h
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
