Authentication Bypass via Magic Link and Passkey Methods

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2025-10908 represents a critical authentication bypass vulnerability where locked user accounts can be successfully authenticated through Magic Link or Passkey authentication methods. This flaw exists because the application fails to validate account state (specifically lock status) during the authentication process, effectively disabling a fundamental security control designed to prevent unauthorized access to compromised or suspended accounts. Any organization using these modern authentication methods is potentially affected, particularly those relying on account locks as a response to security incidents, suspicious activity, or administrative enforcement. This vulnerability directly undermines identity and access control strategies, potentially allowing attackers to maintain persistence in locked accounts or regain access to accounts that should have been permanently restricted.

Casky's 261 matching skills, powered by Claude's extended reasoning capabilities, map directly to MITRE ATT&CK techniques TA0004 (Privilege Escalation) and TA0006 (Credential Access). Security practitioners would observe detection patterns focusing on: unauthorized authentication success against accounts marked as locked in identity systems; anomalous authentication events originating from Magic Link or Passkey flows without corresponding account state validation logs; and CWE-863 (Incorrect Authorization) indicators showing access grants despite administrative lock flags being present. The platform would flag deviations in expected authentication validation workflows—specifically missing checks that should occur between credential verification and access grant decisions—allowing teams to identify applications failing to enforce account state validation and remediate before exploitation occurs.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2025-10908.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2025-10908

Casky has 261 skills that investigate the attack patterns behind CVE-2025-10908. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn