CVE-2025-31681
Published: 31 March 2025
Summary
CVE-2025-31681 is a critical-severity Missing Authorization (CWE-862) vulnerability in Authenticator Login Project Authenticator Login. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-31681 is a missing authorization vulnerability (CWE-862) in the Drupal Authenticator Login contrib module that enables forceful browsing. This issue affects all versions of the module from 0.0.0 up to but not including 2.0.6. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows unauthorized access to protected resources via forceful browsing, potentially leading to full compromise of the affected Drupal site, including data exposure, modification, or disruption of services.
The Drupal security advisory at https://www.drupal.org/sa-contrib-2025-009 details the issue and recommends upgrading to Authenticator Login version 2.0.6 or later to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9036
Vulnerability details
Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing.This issue affects Authenticator Login: from 0.0.0 before 2.0.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization vulnerability in public-facing Drupal module enables forceful browsing and unauthorized access to protected resources with no privileges required, directly mapping to exploitation of public-facing applications for initial access and potential full site compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to resources, directly countering the missing authorization that enables forceful browsing in the Drupal module.
SI-2 requires timely identification, reporting, and correction of flaws like this missing authorization vulnerability, enabling patching to version 2.0.6 or later.
AC-6 enforces least privilege, limiting the scope of unauthorized access achieved through forceful browsing even if enforcement partially fails.