CVE-2025-31676

High

Published: 31 March 2025

Published

31 March 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31676 is a high-severity Weak Authentication (CWE-1390) vulnerability in Email Tfa Project Email Tfa. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 45.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

AC-7 directly enforces limits on consecutive unsuccessful logon attempts and automated account locking, preventing brute force exploitation of the weak Email TFA authentication mechanism.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and patching of system flaws, directly addressing the vulnerable Email TFA versions prior to 2.0.3 as recommended in the Drupal advisory.

IA-5 Authenticator Management partial match

prevent

IA-5 requires management of authenticator strength, distribution, and protection, partially mitigating brute force by ensuring robust TFA codes resistant to guessing.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

Why these techniques?

The vulnerability description explicitly states it allows brute force attacks due to weak authentication and lack of restrictions on excessive authentication attempts in the Email TFA module, directly mapping to T1110 Brute Force for guessing TFA codes to achieve account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Weak Authentication vulnerability in Drupal Email TFA allows Brute Force.This issue affects Email TFA: from 0.0.0 before 2.0.3.

Deeper analysisAI

CVE-2025-31676 is a weak authentication vulnerability in the Drupal Email TFA module that allows brute force attacks. The issue affects Email TFA versions from 0.0.0 before 2.0.3 and is associated with CWEs-1390 (Weak Authentication) and CWE-307 (Improper Restriction of Excessive Authentication Attempts). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An attacker with low privileges, such as a registered Drupal user, can exploit this vulnerability remotely without user interaction. By brute-forcing the email-based two-factor authentication mechanism, the attacker can bypass weak protections, potentially achieving account takeover, unauthorized access to sensitive data, or further compromise of the Drupal site.

The Drupal security advisory SA-CONTRIB-2025-001 (https://www.drupal.org/sa-contrib-2025-001) details the vulnerability and recommends upgrading to Email TFA version 2.0.3 or later as the primary mitigation.