How the CVE Works:
CVE-2025-32359 exploits a client-side security enforcement flaw in Zammad (versions 6.4.x before 6.4.2). The system requires users to re-authenticate with their current password before modifying two-factor authentication (2FA) settings. However, this check is only implemented on the front end, leaving the API unprotected. Attackers can bypass the re-authentication requirement by directly interacting with the API, enabling unauthorized 2FA changes. This vulnerability allows account takeover if an attacker gains temporary access (e.g., via session hijacking).
DailyCVE Form:
Platform: Zammad
Version: 6.4.x <6.4.2
Vulnerability: 2FA bypass
Severity: Critical
Date: 04/15/2025
What Undercode Say:
Analytics:
- Attack Vector: Network (API exploitation)
- Impact: Confidentiality, Integrity (account compromise)
- Exploitability: Low complexity, no privileges required
Exploit Command (Curl):
curl -X POST 'https://<target>/api/v1/profile/two_factor_authentication' \
-H 'Cookie: <stolen_session>' \
-d '{"method":"sms","phone":"attacker_number"}'
Mitigation Steps:
1. Upgrade to Zammad 6.4.2+.
2. Implement server-side re-authentication checks:
Example pseudo-code for server-side validation def update_2fa return unauthorized unless current_user.reauthenticated?(params[:password]) Proceed with 2FA update end
Detection (Log Analysis):
grep "POST /api/v1/profile/two_factor_authentication" /var/log/zammad/access.log | grep -v "auth_log"
WAF Rule (ModSecurity):
SecRule REQUEST_URI "@streq /api/v1/profile/two_factor_authentication" \ "id:1005,phase:2,deny,log,msg:'2FA Bypass Attempt'"
Patch Verification:
curl -I https://<target>/api/v1/profile/two_factor_authentication | grep "401 Unauthorized"
References:
- Official Patch: Zammad 6.4.2 Changelog
- CWE-602: Client-Side Enforcement of Server-Side Security
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
