CVE-2025-56689
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-09-16

Assigner: MITRE

Description
One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP verification step by replaying the same response. NOTE: this is disputed by the Supplier because, by design, the product successfully authenticates a client that possesses a cookie whose validity time interval includes the current time, and thus authentication after any type of "interception" is not a violation of the security model. (The cookie has the HttpOnly attribute.)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-09-16
Generated
2026-06-16
AI Q&A
2025-09-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-56689
EUVD
EUVD-2025-26603
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quest one_identity 7.5.1.20903
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow attackers to access the Privileged Access Management (PAM) portal without needing to provide a valid OTP, effectively bypassing MFA protections. This unauthorized access can lead to attackers controlling arbitrary accounts, potentially compromising sensitive systems and data that rely on this authentication mechanism for security. [1]

Executive Summary

CVE-2025-56689 is a vulnerability in Quest One Identity 7.5.1.20903 that allows attackers to bypass the Multi-Factor Authentication (MFA) One-Time Password (OTP) verification step. An attacker can capture a valid backend response from a successful OTP verification and then replay this response during subsequent login attempts to bypass the OTP check. This means an attacker can gain access without providing a valid OTP by manipulating the response from the server. [1]

Detection Guidance

This vulnerability can be detected by monitoring for replayed backend responses during the MFA OTP verification process. Specifically, look for login attempts where an invalid OTP is submitted but the server returns a 200 OK response instead of the expected 400 Bad Request. Network traffic capturing tools like Wireshark or tcpdump can be used to capture and analyze these backend responses. Commands such as 'tcpdump -i <interface> port <relevant_port>' or using Wireshark filters to inspect HTTP responses for OTP verification endpoints can help identify suspicious replayed responses. [1]

Mitigation Strategies

Immediate mitigation steps include preventing the replay of backend responses by implementing proper session and response validation mechanisms. Ensure that the system invalidates OTP verification responses after use and employs anti-replay protections such as nonce or timestamp checks. Additionally, monitor and restrict access to the PAM portal, enforce strict logging and alerting on suspicious login attempts, and consider applying any available patches or updates from the vendor addressing this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart