HashiCorp Vault Bug Allows Attackers to Log In Without Credentials

A new vulnerability in HashiCorp’s Vault Terraform Provider could let attackers authenticate without credentials, exposing sensitive secrets and infrastructure data.

The flaw stems from a misconfigured default in the provider’s LDAP authentication settings. 

“If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass,” HashiCorp stated in their advisory.

Inside the Vault LDAP Misconfiguration Flaw

The vulnerability (CVE-2025-13357) originates from an incorrect default behavior in the Vault Terraform Provider’s handling of the deny_null_bind parameter for LDAP authentication.

In affected versions, the parameter defaulted to false when not explicitly set in a Terraform configuration. 

In environments where the underlying LDAP server permitted anonymous or null binds, this created a silent and dangerous condition in which Vault treated an empty password as a valid authentication attempt.

When the Terraform Provider created or updated an LDAP auth backend with the default parameter, Vault accepted unauthenticated LDAP connections, granting attackers the ability to authenticate without providing credentials. 

This misconfiguration extended across environments managed through infrastructure-as-code (IaC), meaning multiple Vault clusters or namespaces could unknowingly inherit the insecure setting. 

HashiCorp confirmed the flaw affects Terraform Provider v4.2.0 through v5.4.0, and Vault versions that still accepted empty passwords prior to the fix.

While there are no confirmed cases of active exploitation, a proof-of-concept would be straightforward in environments that permit anonymous LDAP binds.

How to Secure Your Vault Deployments

With Vault serving as a central store for secrets and encryption material, fixing this vulnerability is essential to preventing unauthorized access and downstream compromise. 

• Upgrade to the latest versions of Vault and the Terraform Provider.
• Explicitly set deny_null_bind = true in all LDAP auth configurations to prevent unauthenticated or anonymous binds across every environment.
• Disable anonymous binds on the LDAP server itself to ensure the directory service cannot accept null or empty password authentication attempts.
• Restrict and segment network access to Vault’s LDAP auth endpoints using firewall rules, ACLs, and least-privilege connectivity controls.
• Audit and harden LDAP authentication backends and Vault policies to verify no insecure defaults persist and to minimize permissions tied to LDAP-based logins.
• Monitor for suspicious authentication activity such as empty-password attempts, unexpected token creation, or unusual Vault login patterns.
• Strengthen operational security around Vault by rotating credentials and tokens, enforcing MFA for high-privilege roles, validating Terraform state for drift, and pinning provider versions.

Addressing the flaw requires a combination of software updates, configuration changes, and stronger operational practices to ensure secure authentication.

Why Secrets and Identity Layers Are Prime Targets

This incident demonstrates how a seemingly minor misconfiguration in infrastructure-as-code tooling can escalate into a serious authentication failure affecting entire organizations. 

As enterprises continue automating security and identity workflows, the reliability of default settings in tools such as Terraform Providers becomes critically important. 

The Vault vulnerability also reflects a broader trend: adversaries are increasingly targeting the identity and secrets layers of cloud environments, where even one misconfiguration can grant expansive and highly privileged access.

This growing pressure on identity infrastructure makes zero-trust principles essential for reducing the impact of misconfigurations.