CVE-2023-20123 in Duo Two-Factor Authentication
Summary
by MITRE • 04/05/2023
A vulnerability in the offline access mode of Cisco Duo Two-Factor Authentication for macOS and Duo Authentication for Windows Logon and RDP could allow an unauthenticated, physical attacker to replay valid user session credentials and gain unauthorized access to an affected macOS or Windows device. This vulnerability exists because session credentials do not properly expire. An attacker could exploit this vulnerability by replaying previously used multifactor authentication (MFA) codes to bypass MFA protection. A successful exploit could allow the attacker to gain unauthorized access to the affected device.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/24/2025
This vulnerability resides in the offline access functionality of Cisco Duo's two-factor authentication solutions for macOS and Windows platforms, specifically affecting the Duo Authentication for Windows Logon and RDP modules. The flaw represents a critical security weakness in the session management architecture where authentication credentials maintain validity beyond their intended operational window. The vulnerability stems from inadequate credential expiration mechanisms within the offline authentication framework, creating a persistent access vector that remains viable even after initial authentication sessions should have terminated. This design oversight fundamentally undermines the core security principle of time-bound authentication tokens that are essential for maintaining system integrity and user protection.
The technical exploitation of this vulnerability requires a physical attacker with access to the target device who can intercept and replay valid session credentials obtained during previous authentication events. Attackers can leverage this weakness by capturing legitimate multifactor authentication codes and reusing them within the offline access window, effectively bypassing the multi-factor authentication controls that should normally prevent unauthorized access. The vulnerability specifically targets the credential caching mechanism that stores authentication state locally on the device, where session tokens do not properly implement time-based expiration or rotation protocols. This allows attackers to maintain access to the system through repeated credential replay attacks without requiring additional authentication factors or network connectivity.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it fundamentally compromises the security model of the Duo authentication system. Once exploited, attackers can maintain persistent access to affected devices, potentially enabling further reconnaissance, data exfiltration, or lateral movement within network environments. The vulnerability affects both macOS and Windows platforms, creating a widespread attack surface that could impact organizations relying on Cisco Duo for endpoint security. The offline nature of the attack means that traditional network-based detection mechanisms may not identify the compromise, as the malicious activity occurs locally on the device without generating network traffic that would typically trigger intrusion detection systems.
Organizations should implement immediate mitigations including disabling offline access functionality where possible, enforcing strict credential rotation policies, and deploying enhanced monitoring solutions to detect anomalous authentication patterns. The vulnerability aligns with CWE-305 authentication bypass weaknesses and maps to attack techniques in the ATT&CK framework under credential access and persistence domains. System administrators should consider implementing additional security controls such as endpoint detection and response solutions, device encryption, and mandatory access controls to limit the impact of potential exploitation. Regular security assessments and vulnerability scanning should be conducted to identify affected systems, while patch management processes should be prioritized to address the underlying authentication session management flaws that enable this attack vector.