FacturaScripts: Account takeover of any 2FA-enabled user due to authentication bypass
An authentication bypass vulnerability (CVE-2026-47677) in FacturaScripts' `/login?action=two-factor-validation` endpoint allows unauthenticated attackers to conduct a brute-force attack against Time-based One-Time Passwords (TOTP) for any 2FA-enabled user, including administrators, due to the absence of password verification, CSRF protection, and rate-limiting, leading to complete account takeover with high confidentiality and integrity impact, as well as potential denial of service via account lockout.
Unauthenticated attackers can exploit an authentication bypass vulnerability, identified as CVE-2026-47677, in FacturaScripts' two-factor authentication (2FA) validation endpoint (/login?action=two-factor-validation). This flaw affects FacturaScripts versions up to and including 2026.2. The endpoint is designed to accept Time-based One-Time Passwords (TOTP) but critically lacks password verification, Cross-Site Request Forgery (CSRF) protection, and effective rate-limiting. This combination renders TOTP codes susceptible to brute-force attacks. Due to a lenient VERIFICATION_WINDOW = 8, approximately 17 distinct six-digit TOTP codes are simultaneously valid for a given user, significantly reducing the search space. A public Proof of Concept (PoC) demonstrates that an attacker, knowing only a target user's nickname (e.g., 'admin'), can successfully brute-force a valid TOTP code in minutes to an hour from a single IP address, leading to complete account takeover. This vulnerability grants attackers full access to compromised accounts, enabling high confidentiality and integrity impacts, and can also result in denial of service by locking legitimate users out of their accounts.
Attack Chain
- An unauthenticated attacker identifies a target FacturaScripts instance accessible via the network.
- The attacker determines a valid username (
fsNick) belonging to a 2FA-enabled account (e.g., 'admin', 'company_name', or user initials). - The attacker sends numerous HTTP POST requests to the
/loginendpoint, specifically targeting theaction=two-factor-validationparameter. - Each POST request includes the target
fsNickand an iterated 6-digitfsTwoFactorCodevalue. - The
twoFactorValidationAction()endpoint processes these requests without requiring prior password authentication, validating a CSRF token, or applying rate-limiting, allowing for rapid brute-force attempts. - Due to the configured
TwoFactorManager::VERIFICATION_WINDOW = 8, up to 17 TOTP codes are simultaneously valid for a single 30-second time slot, greatly facilitating the brute-force process. - Upon a successful guess of a valid
fsTwoFactorCode, the server issues a complete session cookie pair (fsNickandfsLogkey) without further security checks. - The attacker uses the obtained session cookies to gain full and persistent access to the victim's account, allowing them to read sensitive data, modify records, change permissions, and potentially install malicious plugins.
Impact
Successful exploitation of CVE-2026-47677 leads to complete account takeover for any 2FA-enabled user within FacturaScripts, including administrative accounts. This results in high confidentiality impact, allowing attackers to access all data visible to the compromised user, such as invoices, customer information, accounting ledgers, attached files, and API keys. The integrity impact is also high, as attackers can create, modify, or delete records, alter user permissions, and potentially upload or install malicious code through admin privileges. Furthermore, the vulnerability enables a targeted denial of service (DoS) by allowing attackers to generate six failed 2FA attempts for a specific user, triggering an account lockout for 10 minutes (MAX_INCIDENT_COUNT = 6). This lockout mechanism can be repeatedly exploited, effectively blocking legitimate users from accessing their accounts.
Recommendation
- Deploy a patch that implements the four fixes outlined in the advisory for CVE-2026-47677, specifically requiring password completion evidence (nonce), CSRF token validation, pre-check of user incidents, and reducing
TwoFactorManager::VERIFICATION_WINDOWto 1. - Implement the suggested Sigma rule to detect attempts to access the vulnerable
/login?action=two-factor-validationendpoint. - Enhance web server or WAF configurations to implement aggressive rate-limiting for POST requests to the
/loginendpoint, particularly those containingaction=two-factor-validation. - Enable comprehensive web server access logging to monitor for repeated POST requests to
/login?action=two-factor-validationfrom single source IP addresses.
Detection coverage 1
Detects CVE-2026-47677 Exploitation - FacturaScripts 2FA Endpoint Access
mediumDetects HTTP POST requests targeting the vulnerable two-factor authentication validation endpoint in FacturaScripts (`/login?action=two-factor-validation`), which is susceptible to brute-force attacks due to lack of rate-limiting, password verification, and CSRF protection. This rule identifies interaction with the vulnerable component.
Detection queries are available on the platform. Get full rules →