Bypass of Multifactor Authentication in TYPO3 CMS by TYPO3 Association
CVE-2025-47941

7.2HIGH

Key Information:

Vendor: Typo3
Status: Typo3
Vendor: CVE Published:; 20 May 2025

What is CVE-2025-47941?

A serious vulnerability exists in the TYPO3 Content Management System where the multifactor authentication (MFA) process can be bypassed during backend login. This issue arises from inadequate enforcement of access restrictions across all backend routes, allowing unauthorized users to gain access post-authentication. The vulnerability is only exploitable with valid backend user credentials, and users are strongly advised to update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to mitigate this risk.

Affected Version(s)

typo3 >= 12.0.0, < 12.4.31 < 12.0.0, 12.4.31

typo3 >= 13.0.0, < 13.4.12 < 13.0.0, 13.4.12

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-7...

x_refsource_CONFIRM

https://typo3.org/security/advisory/typo3-core-sa-2025-015

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2025
Vulnerability Reserved
May 14, 2025

Typo3

What is CVE-2025-47941?

Affected Version(s)

References

CVSS V3.1

Timeline