{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/2fa-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["directus","vulnerability","credential-access","api-token","2fa-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDirectus versions prior to 11.17.0 contain a vulnerability where aggregate functions, such as \u003ccode\u003emin\u003c/code\u003e and \u003ccode\u003emax\u003c/code\u003e, when applied to fields with the \u003ccode\u003econceal\u003c/code\u003e special type, incorrectly return raw database values instead of the masked placeholder. This affects authenticated users who have read access to the affected collection, enabling them to extract concealed field values via \u003ccode\u003egroupBy\u003c/code\u003e aggregate queries.  This vulnerability allows for the extraction of sensitive information, such as static API tokens and two-factor authentication secrets stored in \u003ccode\u003edirectus_users\u003c/code\u003e, enabling account takeovers and 2FA bypass. The vulnerability was reported on April 4, 2026, and is identified as CVE-2026-35442. Defenders should prioritize upgrading Directus instances to version 11.17.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to a vulnerable Directus instance with valid user credentials.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a collection containing fields with the \u003ccode\u003econceal\u003c/code\u003e special type, such as \u003ccode\u003edirectus_users\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an aggregate query using functions like \u003ccode\u003emin\u003c/code\u003e or \u003ccode\u003emax\u003c/code\u003e on the concealed field and includes a \u003ccode\u003egroupBy\u003c/code\u003e clause. Example: \u003ccode\u003eSELECT min(secret_field) FROM collection GROUP BY other_field\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Directus server processes the aggregate query but fails to properly apply the masking logic to the nested results.\u003c/li\u003e\n\u003cli\u003eThe server returns the raw, unmasked values of the concealed field in the aggregate query response.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts static API tokens and TOTP seeds from the returned data.\u003c/li\u003e\n\u003cli\u003eAttacker uses the extracted API tokens to authenticate as other users, including administrators, bypassing username/password requirements.\u003c/li\u003e\n\u003cli\u003eAttacker uses the extracted TOTP seeds to bypass two-factor authentication for other users, gaining unauthorized access to their accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete account takeover, including administrative accounts. Two-factor authentication mechanisms can be bypassed, invalidating this security control. The number of affected organizations depends on the adoption rate of Directus, but all instances running versions prior to 11.17.0 are vulnerable. If the attack succeeds, attackers gain full control over the Directus instance and associated data, potentially leading to data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Directus to version 11.17.0 or later to patch the vulnerability (CVE-2026-35442).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to detect and block aggregate queries targeting concealed fields in sensitive collections. See the Sigma rule example for guidance.\u003c/li\u003e\n\u003cli\u003eMonitor Directus application logs for unusual aggregate query patterns, especially those involving \u003ccode\u003egroupBy\u003c/code\u003e and functions like \u003ccode\u003emin\u003c/code\u003e or \u003ccode\u003emax\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T06:13:57Z","date_published":"2026-04-04T06:13:57Z","id":"/briefs/2026-04-directus-aggregate-disclosure/","summary":"A vulnerability in Directus versions prior to 11.17.0 allows authenticated users to extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users, via aggregate queries.","title":"Directus Aggregate Query Vulnerability Allows Disclosure of Concealed Data","url":"https://feed.craftedsignal.io/briefs/2026-04-directus-aggregate-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["quest-kace","vulnerability","authentication-bypass","2fa-bypass","denial-of-service","sma"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eQuest KACE Systems Management Appliance (SMA) is an IT systems management solution used by organizations to manage and secure endpoints. In June 2025, multiple critical vulnerabilities were disclosed. These include CVE-2025-32975, an authentication bypass; CVE-2025-32976, a 2FA bypass; CVE-2025-32977, malicious backup upload; and CVE-2025-32978, license replacement leading to denial of service. The vulnerabilities were discovered during a third-party assessment. As of March 20, 2026, active exploitation has been reported, making immediate patching critical. Versions affected include KACE SMA versions 13.0.385, 13.1.81, 13.2.183, 14.0.341, and 14.1.101. Successful exploitation can lead to complete system compromise, impacting enterprise security and operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthenticated Request (CVE-2025-32975):\u003c/strong\u003e An attacker sends a crafted request to the KACE SMA server, exploiting the improper authentication handling in the SSO mechanism.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass:\u003c/strong\u003e The server fails to properly validate the request, allowing the attacker to bypass authentication and impersonate a legitimate user, gaining unauthorized access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e2FA Bypass (CVE-2025-32976):\u003c/strong\u003e If the attacker has valid credentials, they exploit a logic flaw in the two-factor authentication implementation to bypass TOTP-based 2FA requirements.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Using the bypassed authentication, the attacker gains access to administrative privileges within the KACE SMA.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Backup Upload (CVE-2025-32977):\u003c/strong\u003e An unauthenticated attacker uploads a malicious backup file to the system, exploiting weaknesses in the cryptographic signature validation process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise:\u003c/strong\u003e The malicious backup content is processed, compromising the system\u0026rsquo;s integrity and potentially allowing the attacker to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLicense Replacement (CVE-2025-32978):\u003c/strong\u003e The attacker uses a web interface intended for license renewal to replace valid system licenses with expired or trial licenses.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service:\u003c/strong\u003e The replacement of valid licenses causes a denial of service, disrupting normal operations and preventing legitimate users from accessing the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to gain complete control over the KACE SMA, leading to the compromise of managed endpoints. The denial-of-service vulnerability disrupts IT operations. While the exact number of victims is unknown, the widespread use of KACE SMA across various sectors suggests a broad potential impact. Active exploitation reported as of March 2026 increases the urgency.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches released by Quest for KACE SMA versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), 14.1.101 (Patch 4) to remediate CVE-2025-32975, CVE-2025-32976, CVE-2025-32977, and CVE-2025-32978.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any related suspicious activity as recommended by CCB.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Unauthenticated Access Attempts to KACE SMA\u0026rdquo; to identify potential exploitation attempts targeting CVE-2025-32975.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious file uploads to detect potential exploitation of CVE-2025-32977.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T12:00:00Z","date_published":"2026-03-21T12:00:00Z","id":"/briefs/2026-03-quest-kace-sma-vulns/","summary":"Multiple critical vulnerabilities in Quest KACE Systems Management Appliance (SMA), including authentication bypass and 2FA bypass, allow unauthenticated attackers to achieve system takeover and cause denial of service; active exploitation is reported.","title":"Critical Vulnerabilities in Quest KACE SMA Allow System Takeover","url":"https://feed.craftedsignal.io/briefs/2026-03-quest-kace-sma-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — 2fa-Bypass","version":"https://jsonfeed.org/version/1.1"}