SOGo user accounts that disable and subsequently re‑enable OTP do not trigger an OTP renewal; the system continues to accept the previously issued token. Additionally, the token length is only twelve digits, well below the recommended twenty digits, making it easier for an adversary to guess or brute‑force the value. This flaw grants an attacker the ability to replay an old token and bypass authentication controls, potentially allowing unauthorized access to user mailboxes or other protected resources. The weakness corresponds to the CWE‑308, “Insufficient Validation of Security Parameters”.

Alinto SOGo installations running a version earlier than 5.12.5 are affected. No other versions or products are listed as impacted.

The CVSS score of 2 indicates low overall severity, and the EPSS score is below 1 %, implying a very low probability of exploitation in the wild. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is inferred to be a local or remote attacker who can capture or guess a short OTP—such as through phishing, network interception or brute force such that they can replay the old token after a user disables and re‑enables OTP. Exploitation would require the attacker to obtain the OTP code or to observe its transmission, without requiring code execution or privilege escalation. Given the low score and exploit probability, the risk to most systems is limited, but the potential impact on confidentiality warrants mitigation.