Introduction
Attackers can bypass two-factor authentication controls on Drupal sites using the Authenticator Login module, gaining unauthorized access to any account by exploiting alternate access paths. This vulnerability directly undermines the security measures organizations rely on to prevent credential-based attacks, with a critical CVSS score of 9.8 and widespread impact across all versions from 0.0.0 up to but not including 2.1.4.
Drupal is a widely adopted open-source content management system powering millions of websites, from small businesses to large enterprises and government agencies. The Authenticator Login module is a popular contributed extension that enables two-factor authentication using authenticator apps, making it a key security component for many Drupal deployments.
Technical Information
CVE-2025-8995 is classified as CWE-288: Authentication Bypass Using an Alternate Path or Channel. The vulnerability exists in the Drupal Authenticator Login module due to missing or inadequate authorization checks on controller methods responsible for handling user-specific two-factor authentication configuration paths.
Affected routes do not enforce required _permission or _access constraints, and controller methods may lack proper user context validation. As a result, remote attackers can access or modify 2FA settings for arbitrary user accounts by directly interacting with these endpoints. This bypasses both primary and secondary authentication mechanisms, effectively neutralizing the intended security benefits of two-factor authentication.
The attack does not require elevated privileges or user interaction, and can be executed over the network. Exploitation involves sending requests to misconfigured endpoints that should be restricted, allowing attackers to disable or reconfigure 2FA for any user. No public code snippets are available, but the vulnerability pattern matches similar issues previously observed in other Drupal authentication modules.
Patch Information
The Mail Login module for Drupal allows users to log in using their email addresses. A critical vulnerability was identified where the module's brute force protection mechanisms were incomplete, potentially allowing attackers to bypass these protections and gain unauthorized access to user accounts.
To address this issue, the module maintainers released updated versions that enhance the brute force protection:
- For the 3.x branch, upgrade to Mail Login 3.2.0.
- For the 4.x branch, upgrade to Mail Login 4.2.0.
These updates implement more robust flood control measures, aligning the module's security with Drupal core's standards. By upgrading to these versions, site administrators can ensure that the login process is safeguarded against brute force attacks, thereby enhancing the overall security of their Drupal installations.
Patch source: https://www.drupal.org/sa-contrib-2025-088
Detection Methods
Detecting vulnerabilities in Drupal requires a multifaceted approach, combining automated tools with manual inspections to ensure comprehensive coverage. Below are several methods and tools that can aid in identifying potential security issues within your Drupal installation:
1. Automated Security Modules:
-
MD5 Check: This module generates an MD5 checksum for all files within a module. If any file is altered, the module issues a security warning, alerting administrators to unauthorized changes.
-
File Integrity Check: By comparing the current state of your Drupal installation against a file containing MD5 hashes of an official Drupal release, this module can detect missing, changed, or unknown files, indicating potential tampering.
-
Security Scanner Component for SimpleTest Module: Leveraging Drupal's SimpleTest capabilities, this tool performs automated tests to analyze vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
-
PHPIDS: Integrating the PHP Intrusion Detection System, this module adds a security layer that logs and monitors potential attacks by analyzing user inputs and behaviors.
2. Vulnerability Assessment Tools:
-
Security Testing Module: Designed to locate XSS, CSRF, and SQL Injection vulnerabilities in contributed modules, this tool scans source code and attempts to exploit identified vulnerabilities using automated tests.
-
Vulnerability Checker: This module lists and checks each installed composer package, library, module, theme, and server package used by your Drupal installation for vulnerabilities against various sources, including packagist.org and the National Vulnerability Database.
3. Antivirus and Malware Detection:
- Drupal Antivirus Site Protection: This module scans and analyzes all files of your Drupal website, including theme files, module files, and upload directories, to detect and remove malicious code such as backdoors, rootkits, trojans, worms, and spyware.
4. Continuous Monitoring and Reporting:
-
Update Status: Integrated into Drupal core from version 6 onwards, this feature regularly checks for updates, including security patches, ensuring that your site remains protected against known vulnerabilities.
-
Security Report: This module analyzes your Drupal installation to create a Security Information Report (SIR), providing insights into the security status of your site.
5. Manual Code Reviews and Best Practices:
- Coder Module: A developer-oriented tool that assists with code review and version upgrades. It includes security vulnerability checks, helping developers adhere to best practices and identify potential issues during the development phase.
6. External Vulnerability Scanning Services:
- Scalable CyberSec Module: This module integrates with external cybersecurity services to perform vulnerability scanning of your Drupal site, providing reports and remediation guidance.
7. Community and Security Advisories:
- Drupal Security Advisories: Regularly reviewing security advisories published by the Drupal Security Team can help you stay informed about known vulnerabilities and recommended actions.
By implementing these detection methods, you can proactively identify and address security vulnerabilities within your Drupal site, thereby enhancing its overall security posture.
Detection sources: https://www.drupal.org/docs/administering-a-drupal-site/security-in-drupal/detection-and-prevention, https://www.drupal.org/project/securitytesting, https://www.drupal.org/project/drupal_antivirus, https://www.drupal.org/project/vulnerability_checker, https://www.drupal.org/project/scalable_cybersec, https://www.drupal.org/security
Affected Systems and Versions
- Product: Drupal Authenticator Login module
- Affected versions: 0.0.0 up to but not including 2.1.4
- All configurations using these versions are vulnerable
Vendor Security History
- Similar vulnerabilities have been reported in other Drupal authentication modules, including CVE-2025-31681 and CVE-2025-31694, both involving missing authorization checks on user-specific 2FA configuration paths.
- The Authenticator Login module is maintained by [email protected] and has a history of regular updates, but this incident highlights the need for more rigorous security review of authentication-related contributed modules.
- Drupal's core security team coordinates advisories and patches, but contributed modules have historically faced challenges with access control and authentication security.