Executive Summary

CVE-2026-12225 is an authentication bypass vulnerability in the syracom AG Secure Login (2FA) plugin version 3.4.0.x for Atlassian Jira, Confluence, and Bitbucket. An attacker who already has valid user credentials can bypass the two-factor authentication (2FA) process by sending HTTP requests with a specially crafted User-Agent header containing strings like "AtlassianMobileApp" or "JIRA". When such a User-Agent is detected, the plugin does not enforce the configured 2FA checks, allowing the attacker to access the application as the compromised user without completing 2FA.

If the compromised account has administrative privileges, the attacker can access administrative functions, disable the 2FA plugin, or make arbitrary administrative changes. This vulnerability was fixed in version 3.5.0.0 of the plugin.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with valid user credentials to bypass two-factor authentication, significantly weakening the security of your Atlassian applications. The attacker can gain unauthorized access to user accounts without completing 2FA.

If the compromised account has administrative privileges, the attacker can perform administrative actions such as disabling the 2FA plugin or making arbitrary changes, potentially leading to full control over the affected Atlassian environment.

Exploitation requires prior access to user credentials, which could be obtained through phishing or credential leaks, making it critical to apply the patch and protect credentials.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the affected Atlassian applications for suspicious User-Agent headers containing specific strings such as "AtlassianMobileApp" or "JIRA". These crafted User-Agent headers are used by attackers to bypass the two-factor authentication (2FA) flow.

To detect potential exploitation attempts, you can analyze web server logs or network traffic for HTTP requests with these User-Agent values that bypass 2FA enforcement.

Example commands to search for suspicious User-Agent headers in web server logs (assuming Apache or Nginx logs):

• grep -i 'User-Agent:.*AtlassianMobileApp' /var/log/apache2/access.log
• grep -i 'User-Agent:.*JIRA' /var/log/apache2/access.log

Alternatively, if using network monitoring tools like tcpdump or Wireshark, you can filter HTTP headers for these User-Agent strings to identify suspicious requests.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to update the syracom AG Secure Login (2FA) plugin to version 3.5.0.0 or later, which contains the security fix that enforces 2FA checks properly and blocks the bypass via crafted User-Agent headers.

If updating immediately is not possible, administrators can enable the legacy login mode by setting the JVM system property `-Datlassian.authentication.legacy.mode=true`. This enforces 2FA during mobile app logins and prevents bypass, but may affect mobile app functionality.

Administrators should also review their Data Center JVM system properties after upgrading to ensure mobile app authentication is configured securely according to their needs.

No other workarounds are necessary beyond applying the patch or enabling the legacy mode flag.

Useful 0 Not Useful 0