Critical severity9.1NVD Advisory· Published Sep 16, 2025· Updated Apr 15, 2026

CVE-2025-54391

Description

A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party authenticator app or email-based 2FA) without presenting a valid authentication token or proving access to an already configured 2FA method. This bypasses 2FA and results in unauthorized access to accounts that are otherwise protected by 2FA.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wiki.zimbra.com/wiki/Security_Centernvd
wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policynvd
wiki.zimbra.com/wiki/Zimbra_Security_Advisoriesnvd

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000