CVE-2025-71279

CriticalPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the Passkey authentication flaw by requiring identification, reporting, and timely patching of XenForo to version 2.3.7 or later.

IA-5 Authenticator Management good match

prevent

Ensures proper management of Passkey authenticators, including establishment, protection, and revocation to counter compromises in their security.

IA-2 Identification and Authentication (Organizational Users) partial match

prevent

Requires systems to implement robust identification and authentication for users, addressing the improper authentication (CWE-287) in XenForo Passkeys.

Security SummaryAI

CVE-2025-71279 is a high-severity vulnerability (CVSS 3.1 score of 9.8) in XenForo forum software versions prior to 2.3.7, specifically affecting Passkeys that have been added to user accounts. The issue, classified under CWE-287 (Improper Authentication), enables attackers to compromise the security of Passkey-based authentication mechanisms. Published on April 1, 2026, it poses a critical risk to installations relying on this passwordless authentication feature.

The vulnerability can be exploited remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and has an unchanged impact scope (S:U). An unauthenticated attacker can achieve high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially bypassing or undermining Passkey protections to gain unauthorized access or disrupt authentication for affected accounts.

Advisories, including those from VulnCheck detailing a Passkey security bypass and XenForo's release notes for version 2.3.7, confirm that the issue is addressed in the 2.3.7 update, which includes security fixes. Security practitioners should prioritize upgrading to XenForo 2.3.7 or later to mitigate the risk.

Details

CWE(s): CWE-287

Affected Products

xenforo

≤ 2.3.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a high-severity improper authentication issue in the public-facing XenForo web forum software, enabling unauthenticated remote attackers to bypass Passkey protections and gain unauthorized access, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.vulncheck.com/advisories/xenforo-passkey-security-bypass
Third Party Advisory · disclosure@vulncheck.com
https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/
Release Notes · disclosure@vulncheck.com