Insufficient state checks in Joomla! Core allow an attacker to circumvent the second factor in multi‑factor authentication. By sending a crafted request that bypasses the required state validation, the attacker can gain authenticated access without providing the second factor. This flaw falls under CWE‑287, leading to loss of confidentiality, integrity, and availability for users and administrators who rely on MFA to secure the system. The impact is substantial as the attacker can act with the privileges of a valid user account, potentially modifying site content, accessing sensitive data, or executing administrative commands.

All installations of Joomla! CMS that have MFA enabled are potentially vulnerable. The CNA record does not list specific patch versions, so administrators should verify whether the installed version contains the fix once it becomes available. In short, any self‑hosted or hosted site running a Joomla! version before the official patch is at risk.

The CVSS score of 8.2 indicates high severity, while the EPSS score of less than 1% suggests a very low but non‑zero exploitation probability at the time of analysis. The vulnerability is not listed in CISA's KEV catalog, but its high impact remains unchanged. Based on the description, the likely attack vector is an application‑layer web request that manipulates session state or submits crafted data to bypass MFA checks. No public exploits have been reported yet, so the risk is moderate until the vulnerability becomes more widely known.