Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Date:
2025-May-07
Vulnerability:
Access bypass
Affected versions:
<4.7.0 || >=5.0.0 <5.2.0
CVE IDs:
CVE-2025-47709
Description:
The module enables you to add second-factor authentication in addition to the default Drupal login.
The module doesn't sufficiently protect certain sensitive routes, allowing an attacker to view or modify various TFA-related settings.
Solution:
Install the latest version:
- If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
- If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.
Reported By:
- Juraj Nemec (poker10) of the Drupal Security Team
Fixed By:
Coordinated By:
- Juraj Nemec (poker10) of the Drupal Security Team
