Wrangling Entropy: Next-Generation Multi-Factor Key Derivation, Credential Hashing, and Credential Generation Functions

The Multi-Factor Key Derivation Function MFKDF offered a novel solution to the classic problem of usable client-side key management by incorporating multiple popular authentication factors into a key derivation process, but was later shown to be vulnerable to cryptanalysis that degraded its...

Azure mandatory multifactor authentication: Phase 2 starting in October 2025

As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical, and at Microsoft, your security is our top priority. Microsoft research shows that multi-factor authentication MFA can block more than 99.2% of account...

Azure mandatory multifactor authentication: Phase 2 starting in October 2025

As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical, and at Microsoft, your security is our top priority. Microsoft research shows that multi-factor authentication MFA can block more than 99.2% of account...

Linux Distros Unpatched Vulnerability : CVE-2024-34007

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF. CVE-2024-34007 Note that...

Simple Steps for Attack Surface Reduction

Story teaser text: Cybersecurity leaders face mounting pressure to stop attacks before they start, and the best defense may come down to the settings you choose on day one. In this piece, Yuriy Tsibere explores how default policies like deny-by-default, MFA enforcement, and application Ringfencin...

CVE-2025-56689

One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password OTP/Multifactor Authentication MFA bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP verification step by replaying th...

CVE-2025-56689

One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password OTP/Multifactor Authentication MFA bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP verification step by replaying th...

CVE-2025-56689

One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password OTP/Multifactor Authentication MFA bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP verification step by replaying th...

PT-2025-35801

Name of the Vulnerable Software and Affected Versions: Quest One Identity version 7.5.1.20903 Description: A crafted response manipulation can bypass the One-Time Password OTP on the Multi-Factor Authentication MFA page, leading to unauthorized access to the Privileged Access Management PAM porta...

Broken Authentication

github.com/hashicorp/vault is vulnerable to Broken Authentication. The vulnerability is due to improper MFA enforcement when usernameasalias is set to true and a user has multiple CNs with leading or trailing spaces, which allows attackers to bypass MFA authentication...

Authentication Bypass

Vault is vulnerable to authentication bypass. The vulnerability is due to insufficient enforcement of MFA login rate limits and TOTP token reuse, which allows an attacker to bypass MFA protections and reuse valid tokens for unauthorized access...

ROS-20250819-01

Moodle virtual learning environment vulnerability related to IDOR issue in Feedback report. Exploitation The vulnerability could allow an attacker acting remotely to gain unauthorized access to features that would otherwise be restricted. functions that would otherwise be limited to Vulnerability...

Liferay Portal Login Bypass Vulnerability

Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid...

GHSA-G4WG-MPFG-X2Q6 Liferay Portal Login Bypass Vulnerability

Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the login process when multi-factor authentication is enabled. An attacker can gain unauthorized access by submitting valid credentials and changing the HTTP method from POST ...

CVE-2025-3639

Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid...

CVE-2025-3639

Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid...

CVE-2025-3639

CVE-2025-3639 affects Liferay Portal 7.3.0–7.4.3.132 and Liferay DXP releases up to 2025.Q1.6 (and corresponding 2024.Q1–Q4 updates). The issue allows bypassing the login process by changing a POST to GET after MFA is enabled, enabling an attacker with valid credentials to access accounts without...

CVE-2025-3639

Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid...

PT-2025-33670 · Liferay · Liferay Portal +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.3.0 through 7.4.3.132 Liferay DXP versions 2025.Q1 through 2025.Q1.6 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q2.0 through 2024.Q2.1...