Description
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page.
Published: 2026-03-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of two‑factor authentication leading to unauthorized administrative access
Action: Immediate Patch
AI Analysis

Impact

EC‑Cube includes a vulnerability that allows a multi‑factor authentication bypass. An attacker who has already obtained a valid administrator ID and password can circumvent the second authentication factor and gain unrestricted access to the administrative interface. This flaw essentially turns a multi‑factor protected account into a single‑factor one, enabling full administrative control for an attacker without any additional privileged credentials.

Affected Systems

The vulnerability is present in EC‑Cube 4.1 series (specifically 4.1.2 and its patch releases p1‑p4), EC‑Cube 4.2 series (4.2.3 and its p1 patch), and EC‑Cube 4.3 series (4.3.1). These versions are distributed by EC‑Cube Co.,Ltd. Users running any of these releases are at risk.

Risk and Exploitability

The CVSS score of 6.9 categorises the problem as moderate severity. The EPSS score of less than 1 percent indicates a very low exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to first acquire administrator credentials, which could be achieved through credential theft, social engineering, or other means. Once credentials are in hand, the attacker can exploit the MFA bypass remotely, capitalising on the flawed authentication logic described by the vendor advisory.

Generated by OpenCVE AI on April 16, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided security update for the affected EC‑Cube releases (4.1.2, 4.2.3, or 4.3.1) as detailed in the EC‑Cube advisory.
  • After applying the patch, review the MFA configuration to ensure that the second factor cannot be overridden, and enforce a strictly validated second factor such as a time‑based one‑time password.
  • Rotate all administrator account passwords immediately after patching and enforce a password policy that requires strong, unique credentials for each admin account.
  • Continuously monitor administrator activity logs for anomalous access patterns and investigate any suspicious events promptly.

Generated by OpenCVE AI on April 16, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Title Multi‑Factor Authentication Bypass in EC‑Cube Administrator Login

Mon, 09 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Ec-cube ec-cube
CPEs cpe:2.3:a:ec-cube:ec-cube:*:-:*:*:*:*:*:*
cpe:2.3:a:ec-cube:ec-cube:4.1.2:-:*:*:*:*:*:*
cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1:*:*:*:*:*:*
cpe:2.3:a:ec-cube:ec-cube:4.1.2:p2:*:*:*:*:*:*
cpe:2.3:a:ec-cube:ec-cube:4.1.2:p3:*:*:*:*:*:*
cpe:2.3:a:ec-cube:ec-cube:4.1.2:p4:*:*:*:*:*:*
cpe:2.3:a:ec-cube:ec-cube:4.2.3:-:*:*:*:*:*:*
cpe:2.3:a:ec-cube:ec-cube:4.2.3:p1:*:*:*:*:*:*
cpe:2.3:a:ec-cube:ec-cube:4.3.1:-:*:*:*:*:*:*
Vendors & Products Ec-cube ec-cube
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ec-cube
Ec-cube ec-cube 4.1 Series
Ec-cube ec-cube 4.2 Series
Ec-cube ec-cube 4.3 Series
Vendors & Products Ec-cube
Ec-cube ec-cube 4.1 Series
Ec-cube ec-cube 4.2 Series
Ec-cube ec-cube 4.3 Series

Thu, 05 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page.
Weaknesses CWE-288
References
Metrics cvssV3_0

{'score': 4.9, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ec-cube Ec-cube Ec-cube 4.1 Series Ec-cube 4.2 Series Ec-cube 4.3 Series
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-03-06T18:19:20.427Z

Reserved: 2026-03-04T22:26:32.318Z

Link: CVE-2026-30777

cve-icon Vulnrichment

Updated: 2026-03-06T18:19:17.117Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T06:16:51.997

Modified: 2026-03-09T18:34:56.787

Link: CVE-2026-30777

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses