CVE-2025-8995
published 2025-08-15CVE-2025-8995: Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.49%
38.5th percentile
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| authenticator_login_project | authenticator_login | < 2.1.4 | 2.1.4 |
| drupal | alogin | >= 0 < 2.1.5 | 2.1.5 |
| drupal | authenticator_login | — | — |
| drupal | authenticator_login | >= 0.0.0 < 2.1.4 | 2.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →The attack targets the AJAX callbacks used in the altered Drupal login form of the Authenticator Login (alogin) module. Monitor for rapid, repeated AJAX login requests to the same account from a single source, as the exploit requires a small series of requests (default: 5) to trigger the authentication bypass condition. ↗
- →Alert on a burst of login attempts (typically ~5 requests by default, but variable based on site configuration) targeting the same username in a short time window, as this is the prerequisite sequence to trigger the bypass. ↗
- →Identify sites running the Drupal alogin module at versions from 0.0.0 before 2.1.4/2.1.5 as vulnerable targets for this authentication bypass. ↗
- ·The number of requests required to trigger the bypass is not fixed — it depends on site configuration. The default is 5, but this may vary, affecting detection thresholds. ↗
- ·The fix is present in git tag 2.1.4 but there is no official release for that tag; the first official fixed release is 2.1.5. Ensure patching targets 2.1.5 or later. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x4hh-vfx4-455p: Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass
ghsa_unreviewed·2025-08-15
CVE-2025-8995 [CRITICAL] CWE-288 GHSA-x4hh-vfx4-455p: Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.
OSV
CVE-2025-8995: This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security
osv·2025-08-13
CVE-2025-8995 CVE-2025-8995: This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security
This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.
The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.
This vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to trigger the conditions is usually quite small (the number depends on site configuration, by default it is 5).
Drupal
Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
vendor_drupal·2025-08-13
CVE-2025-8995 [CRITICAL] Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
Title: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
Vulnerability Type: Access bypass
Description: This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow. The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username. This vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-15
Published