DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7RHV-H82H-VPJH: CVE-2026-30777: MFA Bypass in EC-CUBE Administrative Interface

#security #cve #cybersecurity

CVE-2026-30777: MFA Bypass in EC-CUBE Administrative Interface

Vulnerability ID: GHSA-7RHV-H82H-VPJH
CVSS Score: 4.9
Published: 2026-03-05

EC-CUBE, a widely used open-source e-commerce platform, contains a critical authentication bypass vulnerability in its Multi-Factor Authentication (MFA) implementation. The flaw allows an attacker who possesses valid administrative credentials (username and password) to bypass the secondary MFA challenge by directly accessing the MFA configuration route. This route was improperly excluded from the authentication listener's enforcement logic, allowing the attacker to overwrite the existing TOTP secret with a new one under their control, effectively taking over the administrator account.

TL;DR

An improper route exclusion in EC-CUBE's MFA logic allows attackers with valid passwords to bypass 2FA. By navigating directly to the setup URL, attackers can overwrite the victim's MFA secret key without passing the initial challenge. Fixed in versions 4.3.1-p1, 4.2.3-p2, and 4.1.2-p5.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-288
  • Attack Vector: Network
  • CVSS v3.1: 4.9 (Medium)
  • CVSS v4.0: 6.9 (Medium)
  • Impact: Authentication Bypass
  • EPSS Score: 0.06%

Affected Systems

  • EC-CUBE 4.1.x
  • EC-CUBE 4.2.x
  • EC-CUBE 4.3.x
  • EC-CUBE: >= 4.1.0, <= 4.1.2 (Fixed in: 4.1.2-p5)
  • EC-CUBE: >= 4.2.0, <= 4.2.3 (Fixed in: 4.2.3-p2)
  • EC-CUBE: >= 4.3.0, <= 4.3.1 (Fixed in: 4.3.1-p1)

Code Analysis

Commit: 0947859

Fix for MFA bypass: conditional exclusion of setup route

Mitigation Strategies

  • Update EC-CUBE to the latest patch version immediately.
  • Restrict access to the /admin directory to trusted IP addresses.
  • Monitor access logs for direct requests to 'admin_two_factor_auth_set' without a preceding MFA success.

Remediation Steps:

  1. Identify the running version of EC-CUBE (4.1, 4.2, or 4.3).
  2. Download the corresponding patch plugin or source update from the official EC-CUBE site.
  3. Apply the patch using the command line: bin/console eccube:composer:update or via the plugin manager.
  4. Clear the application cache: bin/console cache:clear.
  5. Verify the fix by attempting to access /admin/setting/system/two_factor_auth/set while logged in as an admin with active MFA. You should be redirected.

References

Read the full report for GHSA-7RHV-H82H-VPJH on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)