CVE-2025-47790 is a medium severity vulnerability affecting multiple versions of Nextcloud Server and Nextcloud Enterprise Server prior to specific patched releases (29.0.15, 30.0.9, 31.0.3 for Server and 26.0.13.15 through 31.0.3 for Enterprise). The vulnerability stems from improper authentication (CWE-287) related to session handling when the server is configured with the parameter `remember_login_cookie_lifetime` set to 0. Under these conditions, after a user successfully logs in with username and password, the system is supposed to require a second factor authentication (2FA) confirmation. However, if the session expires on the 2FA selection page and the page is reloaded, the second factor confirmation step is skipped, allowing the user to bypass 2FA. This flaw effectively reduces the security of accounts protected by 2FA, potentially allowing attackers who have compromised primary credentials to gain full access without completing the second authentication step. The vulnerability requires low privileges (PR:L) and user interaction (UI:R) but can be exploited remotely (AV:N). The CVSS v3.1 base score is 6.4, reflecting high impact on confidentiality and integrity but no impact on availability. The issue is mitigated in patched versions of Nextcloud Server and Enterprise Server. A temporary workaround involves setting `remember_login_cookie_lifetime` to a non-zero value (e.g., 900 seconds) to prevent session expiration from triggering the bypass, though this only affects new sessions after the change. Administrators are also advised to delete affected sessions to mitigate risk. No known exploits are currently reported in the wild.

For European organizations using Nextcloud as a self-hosted cloud solution, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive data. Nextcloud is widely adopted in Europe, especially among public sector entities, educational institutions, and enterprises valuing data sovereignty. The bypass of 2FA undermines a critical security control, increasing the likelihood of unauthorized access if primary credentials are compromised through phishing, credential stuffing, or insider threats. This can lead to data breaches, unauthorized data modification, and potential compliance violations under GDPR due to inadequate access controls. The vulnerability does not impact availability, but the loss of confidentiality and integrity can have severe operational and reputational consequences. Organizations relying on Nextcloud for file sharing, collaboration, and document management must prioritize remediation to maintain trust and regulatory compliance.

1. Immediate upgrade to the patched Nextcloud Server or Enterprise Server versions as listed (e.g., 29.0.15, 30.0.9, 31.0.3 or respective Enterprise versions) to fully remediate the vulnerability. 2. As a temporary measure before patching, set the `remember_login_cookie_lifetime` configuration parameter in config.php to a non-zero value such as 900 seconds to prevent session expiration from causing 2FA bypass. 3. Invalidate and delete all existing user sessions to ensure no active sessions are vulnerable to the bypass. 4. Review and strengthen monitoring and alerting for unusual login patterns or suspicious session activity, particularly failed or bypassed 2FA attempts. 5. Educate users about the importance of safeguarding primary credentials and recognizing phishing attempts, as credential compromise is a prerequisite for exploitation. 6. Consider implementing additional compensating controls such as IP-based restrictions or device trust policies to reduce risk during patch deployment. 7. Regularly audit Nextcloud configurations and session management settings to ensure compliance with security best practices.