CVE-2025-30236
Published: 19 March 2025
Description
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Security Summary
CVE-2025-30236 affects Shearwater SecurEnvoy SecurAccess Enrol versions prior to 9.4.515. The vulnerability enables authentication using only a six-digit Time-based One-Time Password (TOTP) code, bypassing the required password check. This occurs when an HTTP POST request includes a SESSION parameter, allowing flawed session handling that skips secondary authentication factors.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N). By crafting an HTTP POST request with a valid SESSION parameter and a correct six-digit TOTP code, the attacker achieves unauthorized authentication, leading to high integrity impact through potential account takeover or unauthorized access to protected resources.
Mitigation is addressed in the release notes for SecurEnvoy SecurAccess Enrol version 9.4.515, available from the vendor. Security practitioners should upgrade to this version or later to patch the issue. Additional technical details on the vulnerability, including probabilistic exploitation aspects, are documented in the referenced analysis at reserge.org.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an authentication bypass flaw in a public-facing web application that allows unauthorized access by skipping password and secondary MFA factors via crafted requests, directly enabling T1190 for initial access and facilitating T1556.006 by circumventing multi-factor authentication.