CVE-2025-66558: CWE-639: Authorization Bypass Through User-Controlled Key in nextcloud security-advisories
CVE-2025-66558 is a low-severity authorization bypass vulnerability in Nextcloud's Twofactor WebAuthn provider affecting versions prior to 1. 4. 2 and 2. 4. 1. The flaw arises from a missing ownership check that allows an attacker to take control of a victim's 2FA WebAuthn device by guessing a long random key string (80-128 characters). Although the attacker cannot authenticate as the victim, they can force the victim to re-register a new 2FA device upon next login, potentially disrupting user experience and 2FA integrity. The vulnerability requires remote network access, low privileges, and high attack complexity, with no user interaction needed. No known exploits are reported in the wild, and patches are available in versions 1. 4.
AI Analysis
Technical Summary
CVE-2025-66558 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Nextcloud Twofactor WebAuthn provider. This component implements WebAuthn-based two-factor authentication for Nextcloud, a widely used open-source collaboration platform. The vulnerability exists in versions prior to 1.4.2 and between 2.0.0-beta.1 and before 2.4.1 due to a missing ownership verification when handling WebAuthn device keys. Specifically, an attacker who can guess the victim's 2FA device key—a random string between 80 and 128 characters composed of letters, numbers, and symbols—can take over the victim’s registered 2FA device. This takeover does not allow the attacker to authenticate as the victim but causes the victim to be prompted to register a new 2FA device upon their next login, effectively disrupting the 2FA mechanism. The attack vector is network-based, requires the attacker to have low privileges (likely a registered user), and has high attack complexity due to the difficulty in guessing the long random key. No user interaction is required, and the scope is unchanged since the attacker cannot escalate privileges or access victim data directly. The vulnerability has a CVSS v3.1 base score of 3.1, indicating low severity, with no known exploits in the wild. The issue is resolved in Nextcloud Twofactor WebAuthn versions 1.4.2 and 2.4.1.
Potential Impact
For European organizations, the impact of this vulnerability is primarily operational and related to the integrity of two-factor authentication processes. While the attacker cannot directly access or impersonate the victim, the ability to take over a 2FA device registration can cause denial of service to legitimate users by forcing them to re-register their 2FA devices. This disruption can lead to temporary loss of access, increased helpdesk workload, and potential user frustration. In environments with strict security policies or regulatory requirements (such as GDPR), any weakening or disruption of authentication mechanisms can raise compliance concerns. Organizations relying heavily on Nextcloud for collaboration and sensitive data sharing may face increased risk if attackers exploit this flaw to undermine trust in authentication controls. However, since confidentiality and availability are not directly compromised, and no known exploits exist, the overall risk remains low but non-negligible. The vulnerability could be leveraged as part of a broader attack chain if combined with other weaknesses.
Mitigation Recommendations
European organizations should immediately verify their Nextcloud Twofactor WebAuthn versions and upgrade to 1.4.2 or 2.4.1 or later to remediate this vulnerability. Beyond patching, organizations should enforce strong random generation and protection of 2FA device keys to prevent guessing attacks. Monitoring authentication logs for unusual 2FA device re-registrations can help detect exploitation attempts. Implementing network segmentation and limiting access to Nextcloud administrative interfaces reduces exposure. Additionally, educating users about unexpected 2FA prompts and establishing rapid incident response procedures for authentication anomalies will mitigate operational impacts. Organizations should also consider multi-layered authentication strategies and continuous security assessments of their 2FA implementations. Finally, maintaining up-to-date backups and recovery plans ensures resilience against potential disruptions caused by such vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2025-66558: CWE-639: Authorization Bypass Through User-Controlled Key in nextcloud security-advisories
Description
CVE-2025-66558 is a low-severity authorization bypass vulnerability in Nextcloud's Twofactor WebAuthn provider affecting versions prior to 1. 4. 2 and 2. 4. 1. The flaw arises from a missing ownership check that allows an attacker to take control of a victim's 2FA WebAuthn device by guessing a long random key string (80-128 characters). Although the attacker cannot authenticate as the victim, they can force the victim to re-register a new 2FA device upon next login, potentially disrupting user experience and 2FA integrity. The vulnerability requires remote network access, low privileges, and high attack complexity, with no user interaction needed. No known exploits are reported in the wild, and patches are available in versions 1. 4.
AI-Powered Analysis
Technical Analysis
CVE-2025-66558 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Nextcloud Twofactor WebAuthn provider. This component implements WebAuthn-based two-factor authentication for Nextcloud, a widely used open-source collaboration platform. The vulnerability exists in versions prior to 1.4.2 and between 2.0.0-beta.1 and before 2.4.1 due to a missing ownership verification when handling WebAuthn device keys. Specifically, an attacker who can guess the victim's 2FA device key—a random string between 80 and 128 characters composed of letters, numbers, and symbols—can take over the victim’s registered 2FA device. This takeover does not allow the attacker to authenticate as the victim but causes the victim to be prompted to register a new 2FA device upon their next login, effectively disrupting the 2FA mechanism. The attack vector is network-based, requires the attacker to have low privileges (likely a registered user), and has high attack complexity due to the difficulty in guessing the long random key. No user interaction is required, and the scope is unchanged since the attacker cannot escalate privileges or access victim data directly. The vulnerability has a CVSS v3.1 base score of 3.1, indicating low severity, with no known exploits in the wild. The issue is resolved in Nextcloud Twofactor WebAuthn versions 1.4.2 and 2.4.1.
Potential Impact
For European organizations, the impact of this vulnerability is primarily operational and related to the integrity of two-factor authentication processes. While the attacker cannot directly access or impersonate the victim, the ability to take over a 2FA device registration can cause denial of service to legitimate users by forcing them to re-register their 2FA devices. This disruption can lead to temporary loss of access, increased helpdesk workload, and potential user frustration. In environments with strict security policies or regulatory requirements (such as GDPR), any weakening or disruption of authentication mechanisms can raise compliance concerns. Organizations relying heavily on Nextcloud for collaboration and sensitive data sharing may face increased risk if attackers exploit this flaw to undermine trust in authentication controls. However, since confidentiality and availability are not directly compromised, and no known exploits exist, the overall risk remains low but non-negligible. The vulnerability could be leveraged as part of a broader attack chain if combined with other weaknesses.
Mitigation Recommendations
European organizations should immediately verify their Nextcloud Twofactor WebAuthn versions and upgrade to 1.4.2 or 2.4.1 or later to remediate this vulnerability. Beyond patching, organizations should enforce strong random generation and protection of 2FA device keys to prevent guessing attacks. Monitoring authentication logs for unusual 2FA device re-registrations can help detect exploitation attempts. Implementing network segmentation and limiting access to Nextcloud administrative interfaces reduces exposure. Additionally, educating users about unexpected 2FA prompts and establishing rapid incident response procedures for authentication anomalies will mitigate operational impacts. Organizations should also consider multi-layered authentication strategies and continuous security assessments of their 2FA implementations. Finally, maintaining up-to-date backups and recovery plans ensures resilience against potential disruptions caused by such vulnerabilities.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-04T16:01:32.473Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69332135f88dbe026c01494d
Added to database: 12/5/2025, 6:15:17 PM
Last enriched: 12/12/2025, 7:15:27 PM
Last updated: 2/7/2026, 1:43:05 PM
Views: 107
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2085: Command Injection in D-Link DWR-M921
HighCVE-2026-2084: OS Command Injection in D-Link DIR-823X
HighCVE-2026-2083: SQL Injection in code-projects Social Networking Site
MediumCVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumCVE-2026-2080: Command Injection in UTT HiPER 810
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.