Authentication Bypass in Cal.com login credentials provider
CVE-2025-66489 is a critical authentication bypass vulnerability in Cal.com, the open-source scheduling platform, affecting versions prior to 5.9.8. The flaw is in the login credentials provider within the authentication flow, where problematic conditional logic allows password verification to be bypassed when a TOTP code is supplied. As a result, an attacker can authenticate without successfully proving knowledge of the account password, leading to unauthorized access to user accounts. The issue is remotely exploitable and was fixed in Cal.com 5.9.8.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a proof-of-concept (PoC) exploit for CVE-2025-66489, a critical authentication bypass vulnerability in Cal.com (versions <= 5.9.7). The exploit is implemented in a single Python script (CVE-2025-66489.py) and is accompanied by a detailed README.md explaining the vulnerability, affected versions, and usage instructions. The exploit works by sending a crafted POST request to the /api/auth/callback/credentials endpoint with a valid email, an incorrect password, and any TOTP code, exploiting a logic flaw where the presence of a TOTP code causes the backend to skip password verification. If successful, the script establishes a valid session and demonstrates access to protected resources (e.g., /dashboard). The README provides clear guidance for setup, execution, and expected results, and emphasizes the criticality of the issue and the need for immediate patching. No hardcoded endpoints or credentials are present; the script is parameterized for flexible targeting. The exploit is a functional PoC and not a detection script or fake exploit.
This repository contains a proof-of-concept (PoC) exploit for CVE-2025-66489, a critical authentication bypass vulnerability in Cal.com (versions <= 5.9.7). The exploit is implemented in a single Python script (CVE-2025-66489.py) and is accompanied by a detailed README.md explaining the vulnerability, affected versions, exploitation steps, and remediation advice. The exploit works by sending a crafted POST request to the /api/auth/callback/credentials endpoint of a vulnerable Cal.com instance, supplying a valid email, any (incorrect) password, a dummy TOTP code, and a valid CSRF token. Due to a logic flaw, the presence of a TOTP code causes the backend to skip password verification, allowing an attacker to log in as any user with a known email address, even if 2FA is enabled. Upon successful exploitation, the script confirms access to the /dashboard endpoint and outputs the session cookie, which can be used to access the application as the compromised user. The repository is structured simply, with the main exploit logic in the Python script and comprehensive usage and background information in the README. No hardcoded endpoints or credentials are present; the script requires user-supplied parameters. The attack vector is remote (network-based), and the exploit is classified as a PoC, as it demonstrates the vulnerability but does not include weaponized or automated post-exploitation features.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Authentication bypass in Cal.com by submitting fake TOTP codes (mentioned only as related content; no technical details provided in the main text).
A critical authentication bypass vulnerability in Cal.com allows attackers to bypass two-factor authentication by submitting fake TOTP codes.
Authentication bypass in Cal.com’s login credentials provider where supplying a TOTP code can bypass password verification due to flawed conditional logic, enabling unauthorized account access.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.