{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/2fa/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["authentication","2fa","bypass","better-auth"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBetter Auth versions prior to 1.4.9 contain a critical vulnerability that can lead to two-factor authentication (2FA) bypass. The vulnerability arises when the \u003ccode\u003esession.cookieCache\u003c/code\u003e is enabled. In this configuration, the initial session created during the login process can be prematurely cached before the 2FA verification is completed. Consequently, subsequent session lookups might use this cached session, circumventing the necessary 2FA check. This issue allows an attacker who possesses valid primary credentials to gain unauthorized access to protected application routes without completing the mandated second authentication factor. Any application leveraging \u003ccode\u003ebetter-auth\u003c/code\u003e with 2FA and session cookie caching enabled is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser attempts to log in with valid username and password.\u003c/li\u003e\n\u003cli\u003eThe application, running a vulnerable version of \u003ccode\u003ebetter-auth\u003c/code\u003e with \u003ccode\u003esession.cookieCache\u003c/code\u003e enabled, creates a session.\u003c/li\u003e\n\u003cli\u003eThe session is cached due to the \u003ccode\u003esession.cookieCache\u003c/code\u003e setting, \u003cem\u003ebefore\u003c/em\u003e the 2FA challenge is presented.\u003c/li\u003e\n\u003cli\u003eThe user is prompted for their second factor (e.g., TOTP code).\u003c/li\u003e\n\u003cli\u003eInstead of providing the 2FA code, the attacker intercepts or reuses the cached session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker presents the cached session cookie to the application.\u003c/li\u003e\n\u003cli\u003eThe application retrieves the cached session, which it prematurely considers valid.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to protected resources without completing 2FA.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers with valid usernames and passwords to bypass two-factor authentication, gaining unauthorized access to sensitive application resources. The number of affected applications is unknown, but all applications using \u003ccode\u003ebetter-auth\u003c/code\u003e with 2FA and session caching are potentially at risk. A successful attack could lead to data breaches, account takeovers, and other serious security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ebetter-auth\u003c/code\u003e version 1.4.9 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eDisable \u003ccode\u003esession.cookieCache\u003c/code\u003e when using two-factor authentication as a temporary mitigation.\u003c/li\u003e\n\u003cli\u003eIf disabling \u003ccode\u003esession.cookieCache\u003c/code\u003e is not feasible, implement server-side checks to ensure 2FA is completed before granting full session validity (requires code modification).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:29:59Z","date_published":"2026-04-03T03:29:59Z","id":"/briefs/2024-01-02-better-auth-2fa-bypass/","summary":"Better Auth versions prior to 1.4.9 have a critical two-factor authentication bypass vulnerability; when session.cookieCache is enabled, the initial sign-in session may be improperly cached, allowing attackers with valid credentials to bypass 2FA.","title":"Better Auth Two-Factor Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-better-auth-2fa-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["high"],"_cs_tags":["2fa","bypass","privilege-escalation","admidio"],"_cs_type":"advisory","_cs_vendors":["composer","admidio"],"content_html":"\u003cp\u003eAdmidio, a web-based content management system for organizations, contains a critical vulnerability in its two-factor authentication (2FA) reset mechanism. The vulnerability, present in versions 5.0.8 and earlier, stems from an inverted authorization check within the \u003ccode\u003emodules/profile/two_factor_authentication.php\u003c/code\u003e script. This flaw enables non-administrative users, specifically group leaders with profile edit rights, to disable 2FA for other users, including administrator accounts. The vulnerability was reported on April 29, 2026. By exploiting this flaw, attackers can bypass 2FA, gaining unauthorized access to privileged accounts and potentially compromising the entire Admidio installation. This highlights the importance of rigorous security audits and proper authorization checks in web applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or gains access to a non-admin user account within Admidio that possesses \u003ccode\u003ehasRightEditProfile()\u003c/code\u003e permission over an administrator account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003e/adm_program/modules/profile/two_factor_authentication.php\u003c/code\u003e with the \u003ccode\u003emode\u003c/code\u003e parameter set to \u003ccode\u003ereset\u003c/code\u003e and the \u003ccode\u003euser_uuid\u003c/code\u003e parameter set to the UUID of the target administrator account.\u003c/li\u003e\n\u003cli\u003eThe server-side script \u003ccode\u003emodules/profile/two_factor_authentication.php\u003c/code\u003e executes the flawed authorization check at line 84. Due to the inverted logic (\u003ccode\u003e!==\u003c/code\u003e instead of \u003ccode\u003e===\u003c/code\u003e), the check incorrectly grants permission to the non-admin user to reset the administrator\u0026rsquo;s 2FA.\u003c/li\u003e\n\u003cli\u003eThe server removes the TOTP configuration associated with the administrator\u0026rsquo;s account from the database or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker can now attempt to log in to the administrator account using only the password, bypassing the 2FA requirement.\u003c/li\u003e\n\u003cli\u003eIf the attacker knows or can guess the administrator\u0026rsquo;s password (via credential stuffing, brute force, or other means), they successfully gain access to the account.\u003c/li\u003e\n\u003cli\u003eWith administrator privileges, the attacker can perform a variety of malicious actions, such as creating new accounts, modifying website content, or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows attackers to bypass two-factor authentication on administrator accounts in Admidio installations. This can lead to unauthorized access to sensitive data, modification of website content, and potentially full control over the affected system. While the number of affected installations is unknown, organizations using vulnerable versions of Admidio are at risk. Success of the attack results in complete compromise of the Admidio instance and the data it manages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by changing \u003ccode\u003e!==\u003c/code\u003e to \u003ccode\u003e===\u003c/code\u003e on line 84 of \u003ccode\u003emodules/profile/two_factor_authentication.php\u003c/code\u003e to correct the authorization logic (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Admidio 2FA Reset Request\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring HTTP POST requests to the vulnerable endpoint (see Rules).\u003c/li\u003e\n\u003cli\u003eUpgrade Admidio to a patched version that incorporates the fix for CVE-2026-41660.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-admidio-2fa-bypass/","summary":"A logic error in Admidio's two-factor authentication reset inverts the authorization check, allowing non-admin users to remove other users' TOTP, including administrators, reducing their security to password-only authentication in versions 5.0.8 and earlier.","title":"Admidio Inverted 2FA Reset Allows Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-admidio-2fa-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — 2fa","version":"https://jsonfeed.org/version/1.1"}