{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/phpmyfaq-prior-to-4.1.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-45010"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["phpMyFAQ (prior to 4.1.2)"],"_cs_severities":["medium"],"_cs_tags":["cve","brute-force","totp","phpMyFAQ","credential-access","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["phpMyFAQ"],"content_html":"\u003cp\u003ephpMyFAQ before version 4.1.2 is susceptible to an improper restriction of excessive authentication attempts. The vulnerability resides in the \u003ccode\u003e/admin/check\u003c/code\u003e endpoint, which lacks session binding and rate limiting. This endpoint accepts arbitrary user-id parameters, allowing unauthenticated attackers to target specific user accounts. By sending a series of POST requests with sequential token values, an attacker can brute-force the six-digit TOTP code of any user, effectively bypassing two-factor authentication. Successful exploitation allows the attacker to gain full administrative privileges within the phpMyFAQ application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a phpMyFAQ instance running a version prior to 4.1.2.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/admin/check\u003c/code\u003e without any authentication.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a \u003ccode\u003euser-id\u003c/code\u003e parameter specifying the target user account.\u003c/li\u003e\n\u003cli\u003eThe POST request also includes a \u003ccode\u003etoken\u003c/code\u003e parameter containing a potential TOTP value.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through a range of six-digit numerical values for the \u003ccode\u003etoken\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server processes each request without rate limiting or session validation.\u003c/li\u003e\n\u003cli\u003eUpon successful brute-force of the correct TOTP, the server grants administrative access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the administrative access to modify data, create new accounts, or otherwise compromise the phpMyFAQ installation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack allows an unauthenticated attacker to gain full administrative access to the phpMyFAQ application. This can lead to complete compromise of the application\u0026rsquo;s data, including sensitive information stored within the FAQ system. The attacker can also create new administrative accounts, further solidifying their control over the system. The potential impact includes data breaches, defacement, and denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade phpMyFAQ to version 4.1.2 or later to patch CVE-2026-45010.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/admin/check\u003c/code\u003e endpoint to prevent brute-force attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect phpMyFAQ TOTP Brute-Force Attempts\u0026rdquo; to identify potential brute-force attacks against the \u003ccode\u003e/admin/check\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity targeting the \u003ccode\u003e/admin/check\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T19:19:03Z","date_published":"2026-05-15T19:19:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-phpmyfaq-totp-bypass/","summary":"phpMyFAQ before 4.1.2 is vulnerable to improper restriction of excessive authentication attempts in the /admin/check endpoint, allowing unauthenticated attackers to brute-force any user's six-digit TOTP code and bypass two-factor authentication, potentially gaining full administrative access (CVE-2026-45010).","title":"phpMyFAQ Unauthenticated TOTP Bypass via Brute-Force (CVE-2026-45010)","url":"https://feed.craftedsignal.io/briefs/2026-05-phpmyfaq-totp-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — PhpMyFAQ (Prior to 4.1.2)","version":"https://jsonfeed.org/version/1.1"}