{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/edumfa--2.9.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MariaDB","eduMFA (\u003c 2.9.1)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","mfa","token reusage"],"_cs_type":"advisory","_cs_vendors":["MariaDB"],"content_html":"\u003cp\u003eA vulnerability exists in eduMFA versions prior to 2.9.1 related to the handling of transaction isolation within the database layer. Specifically, when eduMFA is deployed with MySQL or MariaDB versions prior to 11.6.2 (or newer versions with \u003ccode\u003einnodb_snapshot_isolation\u003c/code\u003e explicitly set to OFF), it is possible for attackers to reuse token values due to faulty transaction isolation. This is because the database might not properly serialize token usage, allowing multiple requests to validate the same token before it is invalidated. The affected token types include TOTP, HOTP, and potentially WebAuthN, all of which rely on single-use tokens. Exploitation requires racing conditions. The vulnerability was addressed in eduMFA version 2.9.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser initiates a multi-factor authentication process.\u003c/li\u003e\n\u003cli\u003eeduMFA generates a time-based or counter-based one-time password (TOTP or HOTP).\u003c/li\u003e\n\u003cli\u003eThe token and associated user data are written to the database.\u003c/li\u003e\n\u003cli\u003eAttacker initiates multiple authentication requests using the same token value in rapid succession.\u003c/li\u003e\n\u003cli\u003eDue to incorrect InnoDB snapshot isolation, multiple authentication requests may read the same uncommitted token value from the database before it is invalidated by the first successful authentication.\u003c/li\u003e\n\u003cli\u003eThe database validates the token for each of the attacker\u0026rsquo;s requests, as the isolation level does not prevent concurrent reads before write.\u003c/li\u003e\n\u003cli\u003eIf the race succeeds, multiple authentication sessions are established using the same token.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the user\u0026rsquo;s account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to bypass multi-factor authentication and gain unauthorized access to user accounts. This could lead to data breaches, account compromise, and other malicious activities. The number of potentially affected users depends on the deployment size of eduMFA and the number of users relying on TOTP, HOTP or WebAuthN for authentication. Sectors that rely on eduMFA for authentication are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade eduMFA to version 2.9.1 to apply the fix that locks rows prior to write with SELECT FOR UPDATE.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, set \u003ccode\u003einnodb_snapshot_isolation\u003c/code\u003e to ON in MariaDB configurations (default in MariaDB \u0026gt;= 11.6.2) as a workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T15:37:43Z","date_published":"2026-05-18T15:37:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-edumfa-token-reusage/","summary":"eduMFA versions prior to 2.9.1 are vulnerable to token reusage due to incorrect InnoDB snapshot isolation in MySQL and MariaDB versions prior to 11.6.2 (or newer with innodb_snapshot_isolation=off), affecting token types such as TOTP, HOTP, and likely WebAuthN, where tokens are intended for single use, requiring racing the transaction for exploitation.","title":"eduMFA Token Reusage Vulnerability due to Incorrect InnoDB Snapshot Isolation","url":"https://feed.craftedsignal.io/briefs/2026-05-edumfa-token-reusage/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["eduMFA (\u003c 2.9.1)"],"_cs_severities":["high"],"_cs_tags":["replay-attack","authentication","webauthn"],"_cs_type":"advisory","_cs_vendors":["eduMFA"],"content_html":"\u003cp\u003eeduMFA versions prior to 2.9.1 are susceptible to a replay attack vulnerability affecting userless Passkey/WebAuthn authentication. This flaw stems from the absence of an expiration flag within the challenge generated during the authentication process. Consequently, an attacker could potentially capture a valid, unexpired challenge and reuse it to bypass authentication, even after the legitimate user\u0026rsquo;s session has ended or the challenge should have expired. This issue was addressed in eduMFA version 2.9.1 by implementing validity information for userless challenges. Defenders should prioritize upgrading vulnerable instances of eduMFA to version 2.9.1 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser initiates a userless Passkey/WebAuthn authentication request against an eduMFA instance running a version prior to 2.9.1.\u003c/li\u003e\n\u003cli\u003eeduMFA generates a challenge without proper expiration or validity constraints.\u003c/li\u003e\n\u003cli\u003eAttacker intercepts the challenge during transmission or retrieves it from a compromised system.\u003c/li\u003e\n\u003cli\u003eThe legitimate user completes the authentication, granting access to protected resources.\u003c/li\u003e\n\u003cli\u003eAttacker replays the previously intercepted challenge to the eduMFA instance.\u003c/li\u003e\n\u003cli\u003eDue to the missing expiration check, eduMFA incorrectly validates the replayed challenge as legitimate.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to the protected resources, impersonating the original user.\u003c/li\u003e\n\u003cli\u003eAttacker performs actions within the system using the compromised session, potentially escalating privileges or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass multi-factor authentication and gain unauthorized access to systems and data protected by eduMFA. This can lead to data breaches, financial losses, and reputational damage. The impact is significant as it undermines the security guarantees provided by multi-factor authentication, especially in environments relying on userless Passkey/WebAuthn authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all eduMFA installations to version 2.9.1 or later to remediate the vulnerability as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect eduMFA Passkey Replay Attempt\u0026rdquo; to identify potential replay attacks by monitoring for multiple authentication attempts using the same challenge.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, consider temporarily disabling userless login as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T15:37:32Z","date_published":"2026-05-18T15:37:32Z","id":"https://feed.craftedsignal.io/briefs/2026-05-edumfa-passkey-replay/","summary":"eduMFA versions prior to 2.9.1 are vulnerable to replay attacks due to a missing expiration flag in userless Passkey/WebAuthn challenges, potentially leading to unauthorized access.","title":"eduMFA Passkey Replay Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-edumfa-passkey-replay/"}],"language":"en","title":"CraftedSignal Threat Feed — EduMFA (\u003c 2.9.1)","version":"https://jsonfeed.org/version/1.1"}