CVE-2025-64103: Zitadel Bypass Second Authentication Factor

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-64103

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Zitadel Bypass Second Authentication Factor

Source: NVD (National Vulnerability Database)

Vulnerability Description

Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

使用单一因素认证机制

Source: NVD (National Vulnerability Database)

Vulnerability Title

ZITADEL 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

ZITADEL是瑞士ZITADEL开源的一个 Auth0、Firebase Auth、AWS Cognito 以及为容器和无服务器时代构建的 Keycloak 的现代开源替代方案。 ZITADEL 2.53.6版本、2.54.3版本和2.55.0版本存在安全漏洞，该漏洞源于未强制要求多因素认证，可能导致攻击者绕过密码验证并仅针对TOTP代码进行攻击。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
zitadel	zitadel	>= 4.0.0-rc.1, < 4.6.0	-

II. Public POCs for CVE-2025-64103

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-64103

Please Login to view more intelligence information

https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5x_refsource_CONFIRM
https://github.com/zitadel/zitadel/commit/b284f8474eed0cba531905101619e7ae7963156bx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2025-64103

New Vulnerabilities

Product: zitadel

Vendor: zitadel

Same weakness: CWE-308

V. Comments for CVE-2025-64103

No comments yet

Support Us — Your donation helps us keep running

I. Basic Information for CVE-2025-64103

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-64103

III. Intelligence Information for CVE-2025-64103

New Vulnerabilities

V. Comments for CVE-2025-64103

Leave a comment