Skip to main content

Xenforo EUVDEUVD-2025-209152

| CVE-2025-71279 CRITICAL
Improper Authentication (CWE-287)
2026-04-01 VulnCheck GHSA-gqgm-83rg-vhcj
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:47 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.3.7
EUVD ID Assigned
Apr 01, 2026 - 01:15 euvd
EUVD-2025-209152
Analysis Generated
Apr 01, 2026 - 01:15 vuln.today
CVE Published
Apr 01, 2026 - 00:30 nvd
CRITICAL 9.3

DescriptionCVE.org

XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication.

AnalysisAI

Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unauthenticated attackers to bypass security controls protecting passkey-enabled user accounts. No public exploit identified at time of analysis, though EPSS data not available. The vulnerability affects a critical authentication mechanism (WebAuthn/passkeys), representing a high-severity threat to forum platforms relying on this modern authentication method.

Technical ContextAI

XenForo is a commercial forum software platform that implemented passkey support for WebAuthn-based passwordless authentication. This vulnerability is classified as CWE-287 (Improper Authentication), indicating a fundamental flaw in how the platform validates passkey authentication attempts. Passkeys leverage public key cryptography where the private key remains on the user's device and the public key is stored server-side. The vulnerability suggests improper validation of the authentication ceremony, signature verification, or challenge-response mechanism, potentially allowing attackers to authenticate as passkey-enabled users without possessing the legitimate credential. The affected product is identified by CPE cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*, indicating all XenForo versions prior to the patched release are vulnerable.

RemediationAI

Vendor-released patch: XenForo 2.3.7. Administrators should immediately upgrade all XenForo installations to version 2.3.7 or later, which includes security fixes addressing the passkey authentication bypass. The official vendor advisory with upgrade instructions is available at https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/. As an interim measure if immediate patching is not feasible, administrators may consider temporarily disabling passkey authentication functionality until the upgrade can be completed, though this should be balanced against user experience impacts. Review authentication logs for any suspicious passkey authentication attempts prior to patching, particularly successful logins for passkey-enabled accounts during unusual timeframes or from unexpected locations.

Share

EUVD-2025-209152 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy