CVE-2025-31681
Published: 31 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-31681 is a missing authorization vulnerability (CWE-862) in the Drupal Authenticator Login contrib module that enables forceful browsing. This issue affects all versions of the module from 0.0.0 up to but not including 2.0.6. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows unauthorized access to protected resources via forceful browsing, potentially leading to full compromise of the affected Drupal site, including data exposure, modification, or disruption of services.
The Drupal security advisory at https://www.drupal.org/sa-contrib-2025-009 details the issue and recommends upgrading to Authenticator Login version 2.0.6 or later to mitigate the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization vulnerability in public-facing Drupal module enables forceful browsing and unauthorized access to protected resources with no privileges required, directly mapping to exploitation of public-facing applications for initial access and potential full site compromise.