Cyber Resilience

CVE-2025-71279

CriticalPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-71279 is a critical-severity Improper Authentication (CWE-287) vulnerability in Xenforo Xenforo. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-71279 is a high-severity vulnerability (CVSS 3.1 score of 9.8) in XenForo forum software versions prior to 2.3.7, specifically affecting Passkeys that have been added to user accounts. The issue, classified under CWE-287 (Improper Authentication), enables attackers to compromise the security of Passkey-based authentication mechanisms. Published on April 1, 2026, it poses a critical risk to installations relying on this passwordless authentication feature.

The vulnerability can be exploited remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and has an unchanged impact scope (S:U). An unauthenticated attacker can achieve high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially bypassing or undermining Passkey protections to gain unauthorized access or disrupt authentication for affected accounts.

Advisories, including those from VulnCheck detailing a Passkey security bypass and XenForo's release notes for version 2.3.7, confirm that the issue is addressed in the 2.3.7 update, which includes security fixes. Security practitioners should prioritize upgrading to XenForo 2.3.7 or later to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a high-severity improper authentication issue in the public-facing XenForo web forum software, enabling unauthenticated remote attackers to bypass Passkey protections and gain unauthorized access, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35056Same product: Xenforo Xenforo
CVE-2025-71278Same product: Xenforo Xenforo
CVE-2025-71281Same product: Xenforo Xenforo
CVE-2025-71282Same product: Xenforo Xenforo
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287

Affected Assets

xenforo
xenforo
≤ 2.3.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the Passkey authentication flaw by requiring identification, reporting, and timely patching of XenForo to version 2.3.7 or later.

prevent

Ensures proper management of Passkey authenticators, including establishment, protection, and revocation to counter compromises in their security.

prevent

Requires systems to implement robust identification and authentication for users, addressing the improper authentication (CWE-287) in XenForo Passkeys.

References