CVE-2025-7030
Published: 08 July 2025
Summary
CVE-2025-7030 is a medium-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in Two-Factor Authentication Project Two-Factor Authentication. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20698
Vulnerability details
Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables users with the 'Administer TFA for other users' permission to bypass access controls and view other users' two-factor authentication recovery codes, which are unsecured authentication credentials.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.