CVE-2025-54391
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-09-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zimbra | zimbra_collaboration | 10.1.10 |
| zimbra | zimbra_collaboration | 10.0.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS). It allows an attacker who already has valid user credentials to bypass the Two-Factor Authentication (2FA) protection by configuring an additional 2FA method without needing a valid authentication token or access to an existing 2FA method. Essentially, the attacker can add a new 2FA method and gain unauthorized access to accounts that should be protected by 2FA.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to user accounts that are supposed to be protected by Two-Factor Authentication. An attacker with valid credentials can bypass 2FA, potentially compromising sensitive information, performing unauthorized actions, and undermining the security of the affected accounts.