Main Vulnerability Database Vulnerabilities #VU108904

Improper access control in Enterprise MFA - TFA for Drupal - CVE-2025-47706

Published: May 12, 2025

Vulnerability identifier: #VU108904

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-47706

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: gauravsood91

Affected software:
Enterprise MFA - TFA for Drupal

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

How to mitigate CVE-2025-47706

Install updates from vendor's website.

Sources

https://www.drupal.org/sa-contrib-2025-052

Improper access control in Enterprise MFA - TFA for Drupal - CVE-2025-47706

Detailed vulnerability description

How to mitigate CVE-2025-47706

Sources

Please verify you're human