CVE-2025-64103
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-29

Last updated on: 2025-11-04

Assigner: GitHub, Inc.

Description
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-29
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-10-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64103
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
zitadel zitadel From 2.53.6 (inc) to 2.53.9 (inc)
zitadel zitadel From 2.54.3 (inc) to 2.54.10 (inc)
zitadel zitadel From 2.55.0 (inc) to 2.71.18 (exc)
zitadel zitadel From 3.0.0 (inc) to 3.4.3 (exc)
zitadel zitadel From 4.0.0 (inc) to 4.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-308 The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Zitadel versions starting from 2.53.6, 2.54.3, and 2.55.0, where multi-factor authentication (MFA) was only enforced if the login policy explicitly required it via requireMFA or requireMFAForLocalUsers settings. If a user had set up MFA but the policy did not require it, Zitadel would accept single-factor authenticated sessions as valid, effectively bypassing the second authentication factor. An attacker could exploit this by targeting only the TOTP code (a six-digit code) and bypass password verification entirely, potentially compromising accounts that had 2FA enabled. This flaw weakens the security provided by MFA. The issue was fixed in versions 4.6.0, 3.4.3, and 2.71.18.

Impact Analysis

This vulnerability can allow attackers to bypass the second factor of authentication in Zitadel, compromising accounts that have two-factor authentication enabled. By exploiting this flaw, attackers can gain unauthorized access by only using the TOTP code without needing the password, which significantly reduces the security of user accounts and increases the risk of account takeover.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Zitadel to version 4.6.0, 3.4.3, or 2.71.18 or later, where the issue is fixed. Additionally, review your login policies to ensure that multi-factor authentication is properly required by enabling requireMFA or requireMFAForLocalUsers settings to enforce MFA for all applicable users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart