CVE-2025-56689

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-56689
One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP verification step by replaying the same response. NOTE: this is disputed by the Supplier because, by design, the product successfully authenticates a client that possesses a cookie whose validity time interval includes the current time, and thus authentication after any type of "interception" is not a violation of the security model. (The cookie has the HttpOnly attribute.)

4.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://medium.com/@vigneshrajan54_88115/how-i-found-cve-2025-56689-in-safeguard-for-privileged-passwords-6d58fd4bf453 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:quest:one_identity:7.5.1.20903:*:*:*:*:*:*:*
History

16 Sep 2025, 16:15

Type Values Removed Values Added
Summary (en) One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP verification step by replaying the same response. (en) One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP verification step by replaying the same response. NOTE: this is disputed by the Supplier because, by design, the product successfully authenticates a client that possesses a cookie whose validity time interval includes the current time, and thus authentication after any type of "interception" is not a violation of the security model. (The cookie has the HttpOnly attribute.)

09 Sep 2025, 19:14

Type Values Removed Values Added
First Time Quest one Identity
Quest
References () https://medium.com/@vigneshrajan54_88115/how-i-found-cve-2025-56689-in-safeguard-for-privileged-passwords-6d58fd4bf453 - () https://medium.com/@vigneshrajan54_88115/how-i-found-cve-2025-56689-in-safeguard-for-privileged-passwords-6d58fd4bf453 - Exploit, Third Party Advisory
CPE cpe:2.3:a:quest:one_identity:7.5.1.20903:*:*:*:*:*:*:*

08 Sep 2025, 16:15

Type Values Removed Values Added
Summary (en) An issue was discovered in Quest One Identity 7.5.1.20903. A crafted response manipulation can bypass the OTP on MFA page which leads to access the PAM portal without OTP allowing attackers to control an arbitrary account. (en) One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP verification step by replaying the same response.

03 Sep 2025, 20:15

Type Values Removed Values Added
CWE CWE-290
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.6

03 Sep 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-09-03 17:15

Updated : 2025-09-16 16:15

NVD link : CVE-2025-56689

Mitre link : CVE-2025-56689

CVE.ORG link : CVE-2025-56689

JSON object : View

Products Affected

quest

  • one_identity
CWE
CWE-290

Authentication Bypass by Spoofing