CVE-2025-30236
📋 TL;DR
This vulnerability in Shearwater SecurEnvoy SecurAccess Enrol allows attackers to bypass password authentication by sending only a six-digit TOTP code in an HTTP POST request with a SESSION parameter. This affects organizations using SecurAccess Enrol for multi-factor authentication before version 9.4.515, potentially compromising user accounts and authentication systems.
💻 Affected Systems
- Shearwater SecurEnvoy SecurAccess Enrol
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user where attacker can obtain or guess valid TOTP codes, leading to unauthorized access to protected systems and data.
Likely Case
Targeted attacks against specific users where attackers can obtain TOTP codes through phishing or other means, resulting in unauthorized access to authentication-protected resources.
If Mitigated
Limited impact with proper network segmentation, monitoring, and rate limiting on authentication endpoints.
🎯 Exploit Status
Exploitation requires obtaining valid TOTP codes through other means (phishing, social engineering, or brute force). The authentication bypass itself is straightforward once TOTP codes are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.515
Vendor Advisory: https://securenvoy.com/wp-content/uploads/2025/03/Release-Notes-9.4.515.pdf
Restart Required: No
Instructions:
1. Download SecurAccess Enrol version 9.4.515 or later from Shearwater support portal. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Verify authentication now requires both password and TOTP code.
🔧 Temporary Workarounds
Implement rate limiting
allAdd rate limiting to authentication endpoints to prevent brute force attacks on TOTP codes
Configure web server or WAF to limit requests to /auth endpoints to reasonable rates
Network segmentation
allRestrict access to authentication endpoints to trusted networks only
Configure firewall rules to limit access to SecurAccess Enrol authentication ports
🧯 If You Can't Patch
- Implement additional authentication factor requirement for sensitive operations
- Enable detailed logging and monitoring of all authentication attempts, especially those with SESSION parameter
🔍 How to Verify
Check if Vulnerable:
Check if authentication succeeds with only TOTP code in POST request containing SESSION parameter to the authentication endpointCheck Version:
Check SecurAccess Enrol web interface or configuration files for version numberVerify Fix Applied:
Verify authentication now fails when only TOTP code is provided without password in POST requests📡 Detection & Monitoring
Log Indicators:
- Authentication attempts with only TOTP code in POST data
- Multiple failed authentication attempts followed by successful authentication with SESSION parameter
- Unusual source IPs accessing authentication endpoints
Network Indicators:
- HTTP POST requests to authentication endpoints containing SESSION parameter without password field
- Unusual patterns of authentication requests
SIEM Query:
source="securaccess" AND (http_method="POST" AND uri_path="/auth" AND NOT http_post_data CONTAINS "password")