CVE-2025-64103
📋 TL;DR
This vulnerability allows attackers to bypass multi-factor authentication (MFA) in Zitadel by targeting only the TOTP code without requiring password verification. Users with MFA enabled but without strict MFA requirements in login policies are affected. This weakens authentication security and could lead to account compromise.
💻 Affected Systems
- Zitadel
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Attackers compromise administrator or privileged user accounts, gaining full control over Zitadel instances and potentially accessing sensitive user data or systems.
Likely Case
Attackers compromise regular user accounts to access protected resources, steal data, or perform unauthorized actions within applications using Zitadel for authentication.
If Mitigated
With proper MFA policy enforcement and monitoring, impact is limited to accounts without strict MFA requirements, but still represents authentication bypass risk.
🎯 Exploit Status
Exploitation requires knowledge of valid usernames and ability to intercept or guess TOTP codes, but no password needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.71.18, 3.4.3, or 4.6.0
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5
Restart Required: Yes
Instructions:
1. Backup your Zitadel instance. 2. Update to version 2.71.18, 3.4.3, or 4.6.0 depending on your current major version. 3. Restart Zitadel services. 4. Verify the fix by testing MFA enforcement.
🔧 Temporary Workarounds
Enforce MFA in Login Policies
allEnable requireMFA or requireMFAForLocalUsers in all login policies to prevent the bypass condition.
🧯 If You Can't Patch
- Enable strict MFA requirements in all login policies immediately.
- Monitor authentication logs for suspicious MFA bypass attempts and implement rate limiting on authentication endpoints.
🔍 How to Verify
Check if Vulnerable:
Check if Zitadel version is between affected ranges and if any users have MFA enabled without login policy MFA requirements.Check Version:
zitadel version or check Zitadel admin interface for version informationVerify Fix Applied:
After patching, test that users with MFA enabled cannot authenticate with only TOTP code when password is incorrect.📡 Detection & Monitoring
Log Indicators:
- Successful authentication events where MFA was bypassed
- Multiple failed TOTP attempts followed by successful login
- Authentication from unusual locations without proper MFA
Network Indicators:
- Unusual authentication patterns focusing on /oauth/token or similar endpoints
- High volume of TOTP validation requests
SIEM Query:
source="zitadel" event_type="authentication" mfa_bypassed=true OR (mfa_required=false AND mfa_used=true)