CVE-2025-64103
Published: 29 October 2025
Summary
CVE-2025-64103 is a critical-severity Improper Authentication (CWE-287) vulnerability in Zitadel Zitadel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires proper management of authenticators including sufficient strength of mechanism for MFA, directly preventing acceptance of single-factor sessions when MFA is configured in Zitadel.
IA-2 enforces identification and authentication for organizational users, countering the vulnerability's failure to require multiple authentication factors per policy.
SI-2 mandates identification, reporting, and correction of software flaws like this improper MFA enforcement, enabling patching to fixed Zitadel versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper authentication flaw in a public-facing identity and access management application (Zitadel), enabling remote unauthenticated attackers to bypass password verification and MFA enforcement by targeting only the TOTP code, directly facilitating exploitation of a public-facing application for initial access.
NVD Description
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions…
more
as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
Deeper analysisAI
CVE-2025-64103 is an improper authentication vulnerability (CWE-287, CWE-308) affecting Zitadel, an open-source identity and access management system. Starting from versions 2.53.6, 2.54.3, and 2.55.0, Zitadel only enforced multi-factor authentication (MFA) if the login policy explicitly enabled requireMFA or requireMFAForLocalUsers. When users had MFA configured without these policy requirements, the system treated single-factor authenticated sessions as valid, bypassing the second factor. This weakens MFA protections and earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote attackers with no privileges or user interaction to bypass password verification entirely by targeting only the TOTP code, a six-digit value. Attackers can compromise accounts protected by 2FA, gaining unauthorized access to sessions and potentially escalating privileges within the Zitadel-managed environment.
Mitigation is available via patches in Zitadel versions 4.6.0, 3.4.3, and 2.71.18. The GitHub security advisory (GHSA-cfjq-28r2-4jv5) and fixing commit (b284f8474eed0cba531905101619e7ae7963156b) provide further details on the resolution and recommend upgrading immediately.
Details
- CWE(s)