CVE-2025-26788
📋 TL;DR
This vulnerability in StrongKey FIDO Server allows authentication bypass by incorrectly treating non-discoverable credential flows as discoverable transactions. Attackers could potentially authenticate as legitimate users without proper credentials. Organizations using StrongKey FIDO Server versions before 4.15.1 for passkey authentication are affected.
💻 Affected Systems
- StrongKey FIDO Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to protected systems and data, potentially leading to account takeover and privilege escalation.
Likely Case
Authentication bypass enabling unauthorized access to applications relying on StrongKey FIDO Server for passkey authentication.
If Mitigated
Limited impact if proper network segmentation, monitoring, and multi-factor authentication are in place.
🎯 Exploit Status
Exploitation requires understanding of FIDO2 protocol and access to authentication endpoints. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.15.1
Vendor Advisory: https://docs.strongkey.com/index.php/skfs-v3/skfs-release-notes
Restart Required: No
Instructions:
1. Download StrongKey FIDO Server version 4.15.1 or later. 2. Follow standard upgrade procedures for your deployment. 3. Verify the upgrade completed successfully. 4. Test authentication flows to ensure proper functionality.
🔧 Temporary Workarounds
Disable non-discoverable credential flows
allTemporarily disable named credential (non-discoverable) authentication flows until patching can be completed.
Configuration changes in StrongKey FIDO Server settings to disable non-discoverable credential support
🧯 If You Can't Patch
- Implement additional authentication layers (MFA) for all users
- Restrict network access to StrongKey FIDO Server endpoints
🔍 How to Verify
Check if Vulnerable:
Check StrongKey FIDO Server version. If version is below 4.15.1, the system is vulnerable.Check Version:
Check server version through admin interface or configuration filesVerify Fix Applied:
Verify version is 4.15.1 or higher and test authentication flows to ensure proper credential type handling.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed authentication attempts followed by success
- Authentication from unexpected locations
Network Indicators:
- Unusual traffic patterns to FIDO authentication endpoints
- Authentication requests with malformed credential types
SIEM Query:
source="strongkey-fido" AND (event_type="authentication" AND result="success") AND credential_type="named"