CVE-2025-32359

Name of the Vulnerable Software and Affected Versions Zammad versions 6.4.0 through 6.4.1

Description The issue concerns client-side enforcement of server-side security in Zammad. Specifically, when users change their two-factor authentication configuration, they are required to re-authenticate with their current password first. However, this security measure is only enforced at the front-end level and not when the API is used directly.

Recommendations For Zammad versions 6.4.0 through 6.4.1, update to version 6.4.2 to resolve the issue. As a temporary workaround, consider restricting direct API access for users until the update is applied.