CVE-2025-64103

Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 4.6.0 Zitadel versions 2.53.6 through 2.55.0 Zitadel versions prior to 3.4.3 Zitadel versions prior to 2.71.18

Description A flaw exists in Zitadel where multi-factor authentication (MFA) was not consistently enforced. Specifically, from versions 2.53.6, 2.54.3, and 2.55.0, MFA was only required if the login policy explicitly enabled requireMFA or requireMFAForLocalUsers. If a user had configured MFA but these policies were not enabled, Zitadel accepted single-factor authentication as valid. This bypass of the second authentication factor weakens the security of MFA, allowing attackers to potentially compromise accounts. An attacker could target the Time-based One-Time Password (TOTP) code, consisting of six digits, to bypass password verification entirely.

Recommendations Update to Zitadel version 4.6.0 or later. Update to Zitadel version 3.4.3 or later. Update to Zitadel version 2.71.18 or later.