Two-Factor Authentication Bypass in Zimbra Collaboration by Zimbra
CVE-2025-54391

9.1CRITICAL

Key Information:

Vendor: Zimbra
Status: Zimbra Collaboration
Vendor: CVE Published:; 16 September 2025

What is CVE-2025-54391?

A significant vulnerability exists within the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration that allows a malicious actor with valid user credentials to circumvent Two-Factor Authentication (2FA). By misconfiguring an additional 2FA method—either via a third-party authenticator app or through email-based 2FA—the attacker can gain unauthorized access to user accounts without presenting a valid authentication token or authenticating through an already established 2FA method. This flaw poses a serious risk to the security of user accounts protected by 2FA, enabling potential unauthorized access and exploitation.

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosur...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2025
Vulnerability Reserved
Jul 21, 2025

JSON