Vantage6: 2FA can be circumvented with hacked email access

Vulnerability

In vantage6 versions prior to 5.0.1, if an attacker gains access to a user's email account, they can reset the user's password and subsequently reset the two-factor authentication (2FA) token via email. This effectively reduces the 2FA protection to single-factor authentication (email access) [4]. This vulnerability exists because the application allowed both password and 2FA token resets to be initiated through email [1].

Exploitation

An attacker must first compromise a vantage6 user's email account. With access to the email, the attacker can then initiate a password reset process. Following the password reset, the attacker can initiate a 2FA token reset, also via email. This sequence of actions allows the attacker to bypass the 2FA security measure [4]. The description notes that this attack is less likely to succeed if the user's email account itself is protected by 2FA [4].

Impact

Successful exploitation allows an attacker to bypass the two-factor authentication mechanism for a vantage6 user account. By compromising the user's email, the attacker can gain full control over the user's account, effectively reducing the security from 2FA to single-factor authentication (email access) [4]. The scope of the compromise is limited to the individual user account whose email was compromised.

Mitigation

As of the release notes for version 5.0.1 on June 5, 2026, there are no patches available for this vulnerability [1]. The provided references indicate that there are no workarounds or patches currently available [4]. The proposed solutions include implementing recovery codes or restricting 2FA token resets to server administrators only, but these have not been implemented as patches [4].