CVE-2025-32359HIGH 8.8EPSS p15.0%

CVE-2025-32359CVE-2025-32359

Description

In Zammad 6.4.x before 6.4.2, there is client-side enforcement of server-side security. When changing their two factor authentication configuration, users need to re-authenticate with their current password first. However, this change was enforced in Zammad only on the front end level, and not when using the API directly.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.24% probability of exploitation · percentile 15.0% · 2026-06-19T12:03:05Z
Published2025-04-05
Last modified2025-04-15

Underlying weaknesses· 1

CWE-602

References

  1. https://zammad.com/en/advisories/zaa-2025-02

1

TypeTargetConfidenceTier
WeaknessClient-Side Enforcement of Server-Side Securitycwe-6020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-64103
CVE
CVE-2025-54391
CVE
CVE-2025-32360
CVE
CVE-2026-33373
CVE
CVE-2025-11669
CVE
CVE-2026-4924
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.