CVE-2025-56689 — MEDIUM (4.6)

Vulnerability Description

One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP verification step by replaying the same response. NOTE: this is disputed by the Supplier because, by design, the product successfully authenticates a client that possesses a cookie whose validity time interval includes the current time, and thus authentication after any type of "interception" is not a violation of the security model. (The cookie has the HttpOnly attribute.)

CVSS Score

4.6

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Quest	One Identity	7.5.1.20903

Related Weaknesses (CWE)

CWE-290

References

https://medium.com/@vigneshrajan54_88115/how-i-found-cve-2025-56689-in-safeguardExploitThird Party Advisory

FAQ

What is CVE-2025-56689?

CVE-2025-56689 is a vulnerability with a CVSS score of 4.6 (MEDIUM). One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker...

How severe is CVE-2025-56689?

CVE-2025-56689 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-56689?

Check the references section above for vendor advisories and patch information. Affected products include: Quest One Identity.