CVE-2023-40260

Name of the Vulnerable Software and Affected Versions EmpowerID versions prior to 7.205.0.1

Description The issue allows an attacker to bypass a multi-factor authentication (MFA) requirement if the first factor, which includes the username and password, is known. This is possible because knowing the first factor is sufficient to change an account's email address. Once the email address is changed, the product sends MFA codes to the new email address, which may be controlled by the attacker.

Recommendations For EmpowerID versions prior to 7.205.0.1, update to version 7.205.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability to change email addresses for accounts to minimize the risk of exploitation.