PhpMyFAQ (Prior to 4.1.2) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/phpmyfaq-prior-to-4.1.2/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 15 May 2026 19:19:03 +0000phpMyFAQ Unauthenticated TOTP Bypass via Brute-Force (CVE-2026-45010)https://feed.craftedsignal.io/briefs/2026-05-phpmyfaq-totp-bypass/Fri, 15 May 2026 19:19:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-phpmyfaq-totp-bypass/phpMyFAQ before 4.1.2 is vulnerable to improper restriction of excessive authentication attempts in the /admin/check endpoint, allowing unauthenticated attackers to brute-force any user's six-digit TOTP code and bypass two-factor authentication, potentially gaining full administrative access (CVE-2026-45010).phpMyFAQ before version 4.1.2 is susceptible to an improper restriction of excessive authentication attempts. The vulnerability resides in the /admin/check endpoint, which lacks session binding and rate limiting. This endpoint accepts arbitrary user-id parameters, allowing unauthenticated attackers to target specific user accounts. By sending a series of POST requests with sequential token values, an attacker can brute-force the six-digit TOTP code of any user, effectively bypassing two-factor authentication. Successful exploitation allows the attacker to gain full administrative privileges within the phpMyFAQ application.

Attack Chain

  1. The attacker identifies a phpMyFAQ instance running a version prior to 4.1.2.
  2. The attacker sends a POST request to /admin/check without any authentication.
  3. The POST request includes a user-id parameter specifying the target user account.
  4. The POST request also includes a token parameter containing a potential TOTP value.
  5. The attacker iterates through a range of six-digit numerical values for the token parameter.
  6. The server processes each request without rate limiting or session validation.
  7. Upon successful brute-force of the correct TOTP, the server grants administrative access.
  8. The attacker leverages the administrative access to modify data, create new accounts, or otherwise compromise the phpMyFAQ installation.

Impact

A successful attack allows an unauthenticated attacker to gain full administrative access to the phpMyFAQ application. This can lead to complete compromise of the application’s data, including sensitive information stored within the FAQ system. The attacker can also create new administrative accounts, further solidifying their control over the system. The potential impact includes data breaches, defacement, and denial of service.

Recommendation

  • Upgrade phpMyFAQ to version 4.1.2 or later to patch CVE-2026-45010.
  • Implement rate limiting on the /admin/check endpoint to prevent brute-force attacks.
  • Deploy the Sigma rule “Detect phpMyFAQ TOTP Brute-Force Attempts” to identify potential brute-force attacks against the /admin/check endpoint.
  • Monitor web server logs for unusual activity targeting the /admin/check endpoint.
]]>mediumadvisorycvebrute-forcetotpphpMyFAQcredential-accessauthentication-bypass