CVE-2025-32359 Information

Description

In Zammad 6.4.x before 6.4.2 there is client-side enforcement of server-side security. When changing their two factor authentication configuration users need to re-authenticate with their current password first. However this change was enforced in Zammad only on the front end level and not when using the API directly.

Reference

https://zammad.com/en/advisories/zaa-2025-02