CVE-2025-71279

CriticalPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71279 is a critical-severity Improper Authentication (CWE-287) vulnerability in Xenforo Xenforo. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the Passkey authentication flaw by requiring identification, reporting, and timely patching of XenForo to version 2.3.7 or later.

IA-5 Authenticator Management good match

prevent

Ensures proper management of Passkey authenticators, including establishment, protection, and revocation to counter compromises in their security.

IA-2 Identification and Authentication (Organizational Users) partial match

prevent

Requires systems to implement robust identification and authentication for users, addressing the improper authentication (CWE-287) in XenForo Passkeys.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a high-severity improper authentication issue in the public-facing XenForo web forum software, enabling unauthenticated remote attackers to bypass Passkey protections and gain unauthorized access, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication.

Deeper analysisAI

CVE-2025-71279 is a high-severity vulnerability (CVSS 3.1 score of 9.8) in XenForo forum software versions prior to 2.3.7, specifically affecting Passkeys that have been added to user accounts. The issue, classified under CWE-287 (Improper Authentication), enables attackers to compromise the security of Passkey-based authentication mechanisms. Published on April 1, 2026, it poses a critical risk to installations relying on this passwordless authentication feature.

The vulnerability can be exploited remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and has an unchanged impact scope (S:U). An unauthenticated attacker can achieve high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially bypassing or undermining Passkey protections to gain unauthorized access or disrupt authentication for affected accounts.

Advisories, including those from VulnCheck detailing a Passkey security bypass and XenForo's release notes for version 2.3.7, confirm that the issue is addressed in the 2.3.7 update, which includes security fixes. Security practitioners should prioritize upgrading to XenForo 2.3.7 or later to mitigate the risk.