cbcvebase.
CVE-2025-8995
published 2025-08-15

CVE-2025-8995: Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.49%
38.5th percentile
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.

Affected

4 ranges
VendorProductVersion rangeFixed in
authenticator_login_projectauthenticator_login< 2.1.42.1.4
drupalalogin>= 0 < 2.1.52.1.5
drupalauthenticator_login
drupalauthenticator_login>= 0.0.0 < 2.1.42.1.4

Detection & IOCsextracted from sources · hover to see the quote

  • The attack targets the AJAX callbacks used in the altered Drupal login form of the Authenticator Login (alogin) module. Monitor for rapid, repeated AJAX login requests to the same account from a single source, as the exploit requires a small series of requests (default: 5) to trigger the authentication bypass condition.
  • Alert on a burst of login attempts (typically ~5 requests by default, but variable based on site configuration) targeting the same username in a short time window, as this is the prerequisite sequence to trigger the bypass.
  • Identify sites running the Drupal alogin module at versions from 0.0.0 before 2.1.4/2.1.5 as vulnerable targets for this authentication bypass.
  • ·The number of requests required to trigger the bypass is not fixed — it depends on site configuration. The default is 5, but this may vary, affecting detection thresholds.
  • ·The fix is present in git tag 2.1.4 but there is no official release for that tag; the first official fixed release is 2.1.5. Ensure patching targets 2.1.5 or later.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.