CVE-2025-47941 HIGH

CVE-2025-47941: TYPO3 Has Broken Authentication in Backend MFA

Vendor Typo3

Product typo3

Weakness CWE-288

Published May 20, 2025

Last update May 20, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, the multifactor authentication (MFA) dialog presented during backend login can be bypassed due to insufficient enforcement of access restrictions on all backend routes. Successful exploitation requires valid backend user credentials, as MFA can only be bypassed after successful authentication. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem.

Key dates

Disclosure timeline

May 20, 2025 CVE published

May 20, 2025 Record updated

Identifiers

CVE CVE-2025-47941

CWE CWE-288

CVSS 7.2 / HIGH

Affected versions

Vendor Typo3

Product typo3

Affected >= 12.0.0, < 12.4.31

Vendor Typo3

Product typo3

Affected >= 13.0.0, < 13.4.12