CVE-2025-64103
Published: 29 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-64103 is an improper authentication vulnerability (CWE-287, CWE-308) affecting Zitadel, an open-source identity and access management system. Starting from versions 2.53.6, 2.54.3, and 2.55.0, Zitadel only enforced multi-factor authentication (MFA) if the login policy explicitly enabled requireMFA or requireMFAForLocalUsers. When users had MFA configured without these policy requirements, the system treated single-factor authenticated sessions as valid, bypassing the second factor. This weakens MFA protections and earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote attackers with no privileges or user interaction to bypass password verification entirely by targeting only the TOTP code, a six-digit value. Attackers can compromise accounts protected by 2FA, gaining unauthorized access to sessions and potentially escalating privileges within the Zitadel-managed environment.
Mitigation is available via patches in Zitadel versions 4.6.0, 3.4.3, and 2.71.18. The GitHub security advisory (GHSA-cfjq-28r2-4jv5) and fixing commit (b284f8474eed0cba531905101619e7ae7963156b) provide further details on the resolution and recommend upgrading immediately.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an improper authentication flaw in a public-facing identity and access management application (Zitadel), enabling remote unauthenticated attackers to bypass password verification and MFA enforcement by targeting only the TOTP code, directly facilitating exploitation of a public-facing application for initial access.