"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055

Wed, 2025-05-07 10:07 — Anonymous (not verified)

Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.7.0 || >=5.0.0 <5.2.0CVE IDs: CVE-2025-47709Description: The module enables you to add second-factor authentication in addition to the default Drupal login.
The module doesn't sufficiently protect certain sensitive routes, allowing an attacker to view or modify various TFA-related settings.Solution: Install the latest version:

If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.

Reported By:

Juraj Nemec (poker10) of the Drupal Security Team

Fixed By:

Sudhanshu Dhage (sudhanshu0542)

Coordinated By:

Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-055

Search form

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055