Cyber Resilience

CVE-2025-31681

Critical

Published: 31 March 2025

Published
31 March 2025
Modified
02 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 60.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31681 is a critical-severity Missing Authorization (CWE-862) vulnerability in Authenticator Login Project Authenticator Login. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-31681 is a missing authorization vulnerability (CWE-862) in the Drupal Authenticator Login contrib module that enables forceful browsing. This issue affects all versions of the module from 0.0.0 up to but not including 2.0.6. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows unauthorized access to protected resources via forceful browsing, potentially leading to full compromise of the affected Drupal site, including data exposure, modification, or disruption of services.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2025-009 details the issue and recommends upgrading to Authenticator Login version 2.0.6 or later to mitigate the vulnerability.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing.This issue affects Authenticator Login: from 0.0.0 before 2.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization vulnerability in public-facing Drupal module enables forceful browsing and unauthorized access to protected resources with no privileges required, directly mapping to exploitation of public-facing applications for initial access and potential full site compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

authenticator login project
authenticator login
≤ 2.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to resources, directly countering the missing authorization that enables forceful browsing in the Drupal module.

prevent

SI-2 requires timely identification, reporting, and correction of flaws like this missing authorization vulnerability, enabling patching to version 2.0.6 or later.

prevent

AC-6 enforces least privilege, limiting the scope of unauthorized access achieved through forceful browsing even if enforcement partially fails.

References