CVE-2025-47776
Published: 04 November 2025
Summary
CVE-2025-47776 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Mantisbt Mantisbt. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely patching of known flaws like the authentication bypass in MantisBT versions 2.27.1 and earlier, fixed in 2.27.2.
Requires authenticator management with sufficient strength of mechanism to avoid vulnerable MD5 hashing and loose comparisons exploitable via PHP type juggling.
Vulnerability scanning identifies and drives remediation of specific flaws such as CVE-2025-47776 in deployed issue trackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a critical authentication bypass in a network-accessible web application (MantisBT), directly enabling exploitation of a public-facing application for unauthorized account access.
NVD Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparison in the authentication code in versions 2.27.1 and below.PHP type juggling will cause certain MD5 hashes matching scientific…
more
notation to be interpreted as numbers. Instances using the MD5 login method allow an attacker who knows the victim's username and has access to an account with a password hash that evaluates to zero to log in without knowing the victim's actual password, by using any other password with a hash that also evaluates to zero This issue is fixed in version 2.27.2.
Deeper analysisAI
CVE-2025-47776 is a critical authentication bypass vulnerability in Mantis Bug Tracker (MantisBT), an open-source issue tracking system, affecting versions 2.27.1 and earlier. The flaw arises from the incorrect use of loose equality comparison (==) instead of strict equality (===) in the authentication code when using the MD5 login method. This triggers PHP type juggling, where certain MD5 password hashes represented in scientific notation are interpreted as numbers, specifically allowing hashes that evaluate to zero to match incorrectly. The vulnerability is rated 9.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-305.
An unauthenticated attacker with network access can exploit this vulnerability if they know the victim's username and have access to an account whose password hash evaluates to zero. By entering any password whose MD5 hash also evaluates to zero during login, the attacker can impersonate the victim without knowing their actual password, gaining unauthorized access to the account. This enables high-impact confidentiality and integrity violations, such as data exfiltration or modification.
The vulnerability is fixed in MantisBT version 2.27.2. The GitHub security advisory (GHSA-4v8w-gg5j-ph37) and the fixing commit (966554a19cf1bdbcfbfb3004766979faa748f9a2) detail the patch, which replaces the loose comparison with a strict one to prevent type juggling. Security practitioners should immediately upgrade affected instances to version 2.27.2 or later.
Details
- CWE(s)