Authentication Bypass in Drupal Enterprise MFA - TFA Software
CVE-2025-47707

7.5HIGH

Key Information:

Vendor: Drupal
Status: Enterprise Mfa - Tfa For Drupal
Vendor: CVE Published:; 14 May 2025

What is CVE-2025-47707?

A vulnerability exists in the Drupal Enterprise MFA - TFA module that allows for an authentication bypass. This issue arises when authentication credentials can be circumvented, potentially granting access to unauthorized users. The affected versions include all releases prior to 4.7.0 and between 5.0.0 and 5.2.0. It is crucial for users of these versions to apply security patches to mitigate the risks associated with this vulnerability.

Affected Version(s)

Enterprise MFA - TFA for Drupal 0.0.0 < 4.7.0

Enterprise MFA - TFA for Drupal 5.0.0 < 5.2.0

References

https://www.drupal.org/sa-contrib-2025-053

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2025
Vulnerability Reserved
May 7, 2025

Credit

Conrad Lara (cmlara)

Sudhanshu Dhage (sudhanshu0542)

Greg Knaddison (greggles)

Juraj Nemec (poker10)