CVE-2023-20199 in Duo Two-Factor Authentication
Summary
by MITRE • 06/28/2023
A vulnerability in Cisco Duo Two-Factor Authentication for macOS could allow an authenticated, physical attacker to bypass secondary authentication and access an affected macOS device. This vulnerability is due to the incorrect handling of responses from Cisco Duo when the application is configured to fail open. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the affected device without valid permission.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/25/2025
This vulnerability resides within Cisco Duo Two-Factor Authentication for macOS and represents a critical security flaw that undermines the fundamental purpose of multi-factor authentication. The issue stems from the application's improper handling of authentication responses when configured to fail open mode, creating a dangerous bypass mechanism that allows unauthorized access to macOS devices. The vulnerability specifically targets the authentication flow where the system should enforce secondary verification but instead permits access when the primary authentication succeeds, regardless of the secondary factor's outcome.
The technical implementation flaw occurs in the authentication response processing logic where the application fails to properly validate the secondary authentication status when operating in fail open configuration. This misconfiguration creates a scenario where the system's security posture is weakened to the point where an attacker with only primary credentials can gain access without proper secondary verification. The vulnerability is particularly concerning because it requires only physical access to the device and valid primary user credentials, making it exploitable by attackers who have already compromised user accounts or have obtained legitimate login information.
From an operational perspective, this vulnerability presents a severe risk to organizations relying on Cisco Duo for macOS security. The attack vector is straightforward and effective, requiring minimal technical expertise to exploit. An authenticated attacker with physical access can bypass the intended security controls that should prevent unauthorized access to macOS devices. This weakness undermines the entire two-factor authentication framework by allowing the system to grant access based solely on primary authentication when it should enforce both factors. The impact extends beyond individual device compromise to potentially enable broader network access and privilege escalation attacks within organizational environments.
The vulnerability aligns with CWE-305 authentication bypass weakness and relates to ATT&CK technique T1566.002 for credential access through phishing and social engineering. Organizations should immediately implement mitigations including disabling fail open configurations, enforcing strict authentication policies, and conducting comprehensive security audits of their macOS device access controls. Additionally, organizations should consider implementing additional security controls such as device encryption, remote wipe capabilities, and enhanced monitoring of authentication events. The recommended remediation includes updating to patched versions of Cisco Duo, reviewing and tightening authentication policies, and implementing network-level controls to limit access to sensitive systems based on device compliance status. Security teams should also establish incident response procedures specifically addressing potential exploitation of this vulnerability to ensure rapid detection and remediation of any successful attacks.