A critical vulnerability exists in VaulTLS products that allows for unauthenticated access to the system. User accounts created via the web interface are assigned an empty password, enabling any attacker with network access to the login page to gain full control of an account by simply providing a valid username and no password. This flaw presents a severe risk of system compromise, potentially leading to the complete loss of control over the organization's mTLS certificate infrastructure.

The vulnerability stems from an improper password handling mechanism for user accounts created through the web UI. In affected versions, when a new user is provisioned via this interface, the system sets an empty string ("") as the password instead of enforcing a password creation policy or leaving it as a NULL value that would prevent login. An attacker can exploit this by identifying a username created through the web UI and attempting to authenticate with that username and an empty password. This allows the attacker to bypass authentication controls and gain unauthorized access with the privileges of the compromised user account.

This vulnerability is rated as critical severity with a CVSS score of 9.4, reflecting the ease of exploitation and the potential for complete system compromise. Successful exploitation would grant an attacker administrative control over the VaulTLS platform, allowing them to issue, revoke, and manage mTLS certificates at will. This could lead to severe consequences, including man-in-the-middle attacks, sensitive data interception, widespread service outages due to certificate revocation, and a total loss of trust in the organization's secure communication channels. The direct business impact includes potential data breaches, regulatory fines, reputational damage, and significant operational disruption.

Immediate Action: Immediately upgrade all instances of VaulTLS to version 0.9.1 or later. This version corrects the flaw by ensuring proper password policies are enforced during user creation. After upgrading, review all existing user accounts, particularly those created via the web UI, and enforce a mandatory password reset to invalidate any empty passwords.

Proactive Monitoring: Review historical and current authentication logs for signs of compromise. Look for successful logins from unusual or untrusted IP addresses, especially for accounts that have never logged in before or exhibit anomalous activity patterns. Monitor for multiple login attempts from a single source against various usernames, which could indicate an attacker is attempting to discover valid accounts to exploit.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Restrict network access to the VaulTLS web UI to a limited set of trusted IP addresses (e.g., internal management networks or specific administrator workstations).
• Enforce Multi-Factor Authentication (MFA) for all user accounts. MFA would prevent an attacker from gaining access with only an empty password.
• Temporarily disable the ability to create new users via the web UI until the system can be patched.
• Conduct a full audit of all user accounts and manually set strong, unique passwords for any account found to have an empty password.

Public Exploit Available: false

Given the critical CVSS score of 9.4 and the trivial nature of exploitation, this vulnerability poses an immediate and severe threat to the organization. We strongly recommend that all affected VaulTLS instances be patched to version 0.9.1 or newer on an emergency basis. While this CVE is not currently on the CISA KEV list, its high severity and low complexity make it a prime candidate for future inclusion. If patching is delayed for any reason, compensating controls such as network access restrictions and MFA must be implemented without delay to mitigate the significant risk of a full compromise.