EUVD-2025-19010

| CVE-2025-3091 HIGH
2025-06-24 [email protected]
Authentication Bypass
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:36 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
patch_available
Apr 16, 2026 - 05:29 EUVD
2.18.0,2.16.5
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19010
CVE Published
Jun 24, 2025 - 09:15 nvd
HIGH 7.5

DescriptionNVD

An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password.

AnalysisAI

CVE-2025-3091 is an authentication bypass vulnerability allowing a low-privileged remote attacker to hijack another user's account by possessing only that user's second factor (2FA), completely bypassing password authentication. This affects multi-factor authentication implementations where the second factor can be used independently to establish a session. The vulnerability has a CVSS score of 7.5 (High) with moderate attack complexity, and represents a critical weakness in MFA architecture since attackers need only compromise one authentication factor rather than all factors.

Technical ContextAI

This vulnerability relates to CWE-639 (Authorization through User-Controlled Key), indicating flawed logic in how multi-factor authentication factors are validated and combined. The root cause is likely improper sequencing or decoupling of authentication factors—the system incorrectly permits the second factor alone to establish authenticated sessions without requiring the first factor (password). This represents a failure in proper MFA orchestration where factors should be chained or bound together cryptographically. The vulnerability suggests the second factor (typically TOTP, SMS, hardware token, or push notification) is being treated as a standalone authentication method rather than a supplement to the primary credential, allowing attackers who obtain a user's second factor through phishing, SIM swapping, token theft, or social engineering to impersonate that user entirely. Without specific CPE data provided, the vulnerability likely affects identity and access management systems, web applications with 2FA, or authentication services.

RemediationAI

Patch availability and versions must be obtained from vendor advisories not provided in this analysis. General remediation steps include: (1) Immediate: Review and test MFA implementation logic to ensure factors are properly chained—the second factor should never grant authentication without successful first factor (password/biometric) validation. (2) Patching: Apply security updates from your authentication provider immediately upon release. (3) Workarounds (if patches unavailable): Implement additional compensating controls—require re-authentication for sensitive operations, add IP allowlisting, enable adaptive authentication based on risk signals (impossible travel detection, anomalous device usage). (4) Investigation: Audit authentication logs for accounts logged in via second factor alone without corresponding password authentication events; this may indicate exploitation attempts. (5) User communication: Advise users to protect second factors as carefully as passwords; compromised second factors are now equivalent to password compromise. (6) Code review: If developing custom MFA, ensure cryptographic binding between factors and explicit rejection of partial authentication chains.

Share

EUVD-2025-19010 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy