CVE-2025-54391

Published: Sep 16, 2025Modified: Sep 17, 2025

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party authenticator app or email-based 2FA) without presenting a valid authentication token or proving access to an already configured 2FA method. This bypasses 2FA and results in unauthorized access to accounts that are otherwise protected by 2FA.

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (3)

https://wiki.zimbra.com/wiki/Security_Center

Source: cve@mitre.org

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

Source: cve@mitre.org

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Source: cve@mitre.org

Timeline

No history available yet.