Skip to main content
CVE Vulnerability Database

CVE-2025-8093: Drupal Authenticator Login Auth Bypass

CVE-2025-8093 is an authentication bypass vulnerability in Drupal Authenticator Login that allows attackers to circumvent authentication using alternate paths. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-8093 Overview

CVE-2025-8093 is an authentication bypass vulnerability in the Drupal Authenticator Login contributed module. The flaw exists in all versions from 0.0.0 before 2.1.8. An attacker can bypass two-factor authentication (2FA) controls by leveraging an alternate path or channel that the module fails to protect. The issue is tracked under CWE-288: Authentication Bypass Using an Alternate Path or Channel. Successful exploitation impacts confidentiality, integrity, and availability of the affected Drupal site.

Critical Impact

Attackers with low-privileged credentials can circumvent the Authenticator Login 2FA enforcement and access accounts protected by the module, including administrative accounts.

Affected Products

  • Drupal Authenticator Login module versions 0.0.0 through 2.1.7
  • Drupal sites relying on Authenticator Login for two-factor enforcement
  • All Drupal core versions where the vulnerable module is installed

Discovery Timeline

  • 2025-10-10 - CVE-2025-8093 published to NVD
  • 2026-01-05 - Last updated in NVD database
  • Vendor advisory published as Drupal SA-CONTRIB-2025-098

Technical Details for CVE-2025-8093

Vulnerability Analysis

The Authenticator Login module adds a Time-based One-Time Password (TOTP) second factor to the Drupal login flow. The vulnerability stems from the module failing to enforce the 2FA challenge on every authenticated path. An attacker who possesses a valid username and password can reach authenticated functionality through an alternate path that does not invoke the second-factor check. The attack requires only low privileges and no user interaction, and it is exploitable across the network.

The vulnerability is classified under [CWE-288], which covers cases where access control is enforced on a primary path but a secondary route reaches the same resource without revalidation. Because the 2FA gate is the primary security control of the module, bypassing it nullifies the protection it advertises.

Root Cause

The root cause is incomplete enforcement of the 2FA challenge across all authentication entry points in Drupal. The module hooks into the standard login form but does not intercept all alternate authentication mechanisms, such as password reset links, one-time login URLs, or other contributed modules that issue session tokens. Sessions established through these channels skip the TOTP prompt.

Attack Vector

Exploitation is network-based and requires low-privileged credentials (PR:L). An attacker who has stolen or guessed a password sends an authentication request through an unprotected path. The Drupal session is established without the TOTP step, granting the attacker the full privileges of the targeted account. If the targeted account holds administrative roles, the attacker gains site-wide control, including code execution through Drupal's module and theme management.

No proof-of-concept code or public exploit has been published. Refer to the Drupal Security Advisory for vendor-supplied technical details.

Detection Methods for CVE-2025-8093

Indicators of Compromise

  • Successful logins to 2FA-enabled accounts without a corresponding TOTP validation event in the Drupal watchdog log
  • Session establishment via /user/reset/ one-time login URLs followed by privileged operations without a 2FA challenge entry
  • Authentication events from unfamiliar IP addresses for accounts that historically required second-factor approval

Detection Strategies

  • Audit the watchdog or syslog stream for user channel login events lacking adjacent authenticator_login validation entries
  • Correlate Drupal session creation events with module-specific 2FA success events; gaps indicate bypass
  • Inspect web server access logs for repeated POST requests to alternate authentication endpoints prior to authenticated administrative activity

Monitoring Recommendations

  • Forward Drupal application logs and PHP-FPM access logs to a centralized SIEM for query-based identification of mismatched authentication sequences
  • Alert on administrative actions (config_export, module install, user role change) performed by accounts that did not complete a 2FA event in the same session
  • Track baseline 2FA challenge rates per account and alert on statistically significant drops

How to Mitigate CVE-2025-8093

Immediate Actions Required

  • Upgrade the Authenticator Login module to version 2.1.8 or later on every Drupal site that uses it
  • Invalidate all active Drupal sessions after upgrading to force re-authentication through the patched flow
  • Rotate passwords for administrative accounts and review recent administrative activity for unauthorized changes
  • Audit installed modules and themes for unexpected additions that could indicate post-exploitation persistence

Patch Information

The vendor released a fix in Authenticator Login 2.1.8. The patch is documented in Drupal SA-CONTRIB-2025-098. Apply the update through Composer or the Drupal update manager and clear all caches after deployment.

Workarounds

  • Disable the Authenticator Login module until the upgrade is applied if patching cannot be performed immediately
  • Restrict access to Drupal login and password reset endpoints at the web server or WAF layer to trusted IP ranges
  • Disable the one-time login URL feature where business requirements allow, reducing the number of alternate authentication paths
bash
# Update via Composer to the patched release
composer require 'drupal/authenticator_login:^2.1.8' --update-with-dependencies
drush updatedb
drush cache:rebuild

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.