CVE-2025-6675
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-26

Last updated on: 2025-07-14

Assigner: Drupal.org

Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0.*, from 0.0.0 before 5.1.*.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-26
Last Modified
2025-07-14
Generated
2026-05-07
AI Q&A
2025-06-26
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6675
EUVD
EUVD-2025-19184
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
miniorange miniorange_2fa to 4.8.0 (exc)
miniorange miniorange_2fa From 5.0.1 (inc) to 5.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-6675 is an Authentication Bypass vulnerability in the Enterprise MFA - TFA module for Drupal. This module adds second-factor authentication to Drupal's login system. The flaw allows attackers who have obtained a user's username and password to bypass the multi-factor authentication protection by exploiting insufficient protection of certain authorization routes within the module, potentially gaining unauthorized access despite MFA being enabled. [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker who already knows a user's credentials to bypass multi-factor authentication and gain unauthorized access to the affected Drupal site. This can lead to partial compromise of confidentiality and integrity of the system, as unauthorized users may access sensitive information or perform unauthorized actions within the site. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade the Enterprise MFA - TFA module to the latest patched versions. Specifically, upgrade to miniorange_2fa version 5.2.1 for Drupal 9.3, Drupal 10, and Drupal 11, or to miniorange_2fa version 8.x-4.8 for Drupal 8, 9, and 10. Additionally, follow Drupal Security Team's policies and best practices for securing Drupal sites and consider contacting them for further information. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart