Privilege Escalation Issue in Drupal's Two-factor Authentication Module
CVE-2025-7030

6.5MEDIUM

Key Information:

Vendor: Drupal
Status: Two-factor Authentication (tfa)
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-7030?

The Two-factor Authentication (TFA) module in Drupal is susceptible to a privilege escalation vulnerability caused by incorrectly configured access control mechanisms. This security flaw allows attackers to exploit improperly set security levels, leading to unauthorized actions and access within the system. Users of versions from 0.0.0 up to 1.10.9 are particularly at risk, making it essential to upgrade to address these critical access control weaknesses.

Affected Version(s)

Two-factor Authentication (TFA) 0.0.0 < 1.11.0

References

https://www.drupal.org/sa-contrib-2025-085

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Jul 2, 2025

Credit

Conrad Lara (cmlara)

cilefen (cilefen)

Dan Smith (galooph)

Greg Knaddison (greggles)

Jess (xjm)