CVE-2025-26788
Published: 14 February 2025
Summary
CVE-2025-26788 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Strongkey (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26788 is a vulnerability in StrongKey FIDO Server versions before 4.15.1, where the server incorrectly treats a non-discoverable (namedcredential) flow as a discoverable transaction. This issue, linked to CWE-639 (Authorization Bypass Through User-Controlled Key), carries a CVSS v3.1 base score of 8.4 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L), indicating high severity due to its potential for significant confidentiality and integrity impacts.
The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation changes scope to the server (S:C), allowing high impacts on confidentiality and integrity (C:H/I:H) alongside low availability impact (A:L). This enables authentication bypass scenarios, such as passkey authentication evasion, potentially compromising user sessions or credentials.
Advisories recommend upgrading to StrongKey FIDO Server version 4.15.1 or later to mitigate the issue, as outlined in the official release notes at https://docs.strongkey.com/index.php/skfs-v3/skfs-release-notes. Further technical details on the passkey authentication bypass are provided in the analysis at https://www.securing.pl/en/cve-2025-26788-passkey-authentication-bypass-in-strongkey-fido-server/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4243
Vulnerability details
StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing FIDO auth server enables network exploitation for auth bypass (T1190) leading to credential/session compromise (T1212).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely identification, reporting, and correction of the flaw in StrongKey FIDO Server through vendor-recommended upgrades to version 4.15.1 or later.
Enforces approved authorizations to prevent the server from incorrectly processing non-discoverable credential flows as discoverable, blocking authorization bypass.
Implements and manages identification and authentication mechanisms that properly distinguish and validate credential types to avoid passkey authentication evasion.