A critical vulnerability in XenForo’s Passkey implementation allows attackers to compromise account security, potentially leading to unauthorized access to user profiles and administrative panels.

The vulnerability affects the Passkey authentication mechanism within the XenForo platform. While specific technical details are limited, the flaw allows an attacker to bypass or undermine the security of Passkeys that have been registered to user accounts, facilitating unauthorized logins.

The compromise of Passkey-based authentication directly threatens the identity management of the forum platform. With a CVSS score of 9.8, the impact is catastrophic, potentially allowing attackers to hijack high-privilege administrative accounts, leading to data breaches and reputational damage. This vulnerability undermines the trust in multi-factor and passwordless authentication systems used by the organization.

Immediate Action: Update the XenForo installation to version 2.3.7 or higher to resolve the underlying security issue in the Passkey logic.

Proactive Monitoring: Audit user account logs for suspicious login patterns, particularly those utilizing Passkeys, and monitor for unauthorized changes to user profile settings.

Compensating Controls: Encourage or enforce the use of alternative multi-factor authentication (MFA) methods, such as TOTP, until the environment has been fully patched and verified.

Public Exploit Available: false

Given the critical nature of authentication vulnerabilities, it is imperative that XenForo administrators apply the 2.3.7 update without delay. Securing user identities is a fundamental requirement for platform safety, and this patch is the only definitive way to mitigate the risk of account takeovers via Passkey exploitation.