CVE-2025-3910 is an authentication bypass vulnerability identified in the Red Hat Build of Keycloak, specifically affecting versions 25.0.0, 26.0.0, and 26.2.0. The vulnerability resides in the org.keycloak.authorization package, where a flaw allows users to circumvent required actions that are normally enforced during authentication workflows. One critical example is the ability to bypass mandatory two-factor authentication (2FA) setup, which is a key security control to prevent unauthorized access. The vulnerability does not require any privileges (PR:N) and can be exploited remotely (AV:N), but it does require user interaction (UI:R), such as a user initiating a login or authentication process. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component without affecting other system components. The CVSS 3.1 base score is 5.4, indicating a medium severity level, with impacts on confidentiality and integrity but no impact on availability. Although no known exploits are currently reported in the wild, the flaw could be leveraged by attackers to weaken authentication controls, potentially enabling unauthorized access or privilege escalation if combined with other vulnerabilities or social engineering. The vulnerability underscores the importance of secure enforcement of authentication policies within identity management solutions like Keycloak, which is widely used for single sign-on (SSO) and access control in enterprise environments.

For European organizations, the impact of CVE-2025-3910 can be significant, particularly for those relying on Keycloak for identity and access management in critical systems. The ability to bypass required actions such as 2FA setup undermines the security posture by allowing attackers or malicious insiders to gain access with weaker authentication, increasing the risk of data breaches and unauthorized access to sensitive information. Confidentiality and integrity of user accounts and protected resources could be compromised, potentially leading to lateral movement within networks or exposure of personal and corporate data. Although availability is not directly affected, the indirect consequences of compromised credentials could disrupt business operations. Sectors such as government, finance, healthcare, and critical infrastructure in Europe that use Keycloak for authentication are particularly vulnerable. The lack of known exploits in the wild provides a window for proactive mitigation, but the medium severity rating means organizations should act promptly to prevent exploitation.

Organizations should immediately verify if their Keycloak deployments are running affected versions 25.0.0, 26.0.0, or 26.2.0 and plan to upgrade to patched versions once available from Red Hat. In the absence of a patch, administrators should review and tighten authentication workflows and policies, ensuring that required actions like 2FA setup cannot be bypassed through alternative flows. Implement additional monitoring and alerting for anomalous authentication events, such as users skipping 2FA setup or unusual login patterns. Employ compensating controls such as network segmentation and strict access controls to limit the impact of compromised accounts. Conduct user awareness training to reduce the risk of social engineering that could facilitate exploitation. Regularly audit identity and access management configurations and consider multi-layered authentication mechanisms beyond Keycloak’s built-in controls. Engage with Red Hat support for guidance and stay updated on security advisories related to this vulnerability.