Cyber Resilience

CVE-2025-67507

High

Published: 10 December 2025

Published
10 December 2025
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 20.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67507 is a high-severity Improper Authentication (CWE-287) vulnerability in Filamentphp Filament. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67507 is a vulnerability in Filament, a collection of full-stack components for accelerated Laravel development. It affects versions 4.0.0 through 4.3.0 and stems from improper handling of recovery codes used in app-based multi-factor authentication (MFA). Specifically, the flaw allows the same recovery code to be reused indefinitely, bypassing intended one-time-use protections. This issue does not affect email-based MFA and only applies when recovery codes are enabled. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

Attackers can exploit this over the network without privileges or user interaction, though it requires high attack complexity. An unauthenticated adversary who obtains a single valid recovery code—potentially via phishing, compromise, or other means—can reuse it repeatedly to bypass app-based MFA. Successful exploitation enables unauthorized access to protected Laravel applications built with Filament, resulting in high impacts to confidentiality, integrity, and availability of affected systems.

Filament has addressed the issue in version 4.3.1. Administrators should upgrade to this patched release to mitigate the vulnerability. Additional details are available in the GitHub security advisory (GHSA-pvcv-q3q7-266g) and the fixing commit (87ff60ad9b6e16d4e14ee36a220b8917dd7b0815).

EU & UK References

Vulnerability details

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does…

more

not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote attackers to bypass app-based MFA in public-facing Laravel web applications built with Filament by reusing recovery codes, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33080Same product: Filamentphp Filament
CVE-2026-8321Shared CWE-287, CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2026-42760Shared CWE-288
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2026-45109Shared CWE-288
CVE-2026-42735Shared CWE-288
CVE-2024-57046Shared CWE-287

Affected Assets

filamentphp
filament
4.0.0 — 4.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper management of recovery codes as authenticators, including processes for one-time use, invalidation after use, and recovery to prevent indefinite reuse.

prevent

Mandates timely identification, reporting, and correction of the specific flaw in Filament's recovery code handling through patching to version 4.3.1.

detect

Requires generation of audit records for authentication events, enabling detection of repeated use of the same recovery code.

References