Today’s post reveals a critical vulnerability affecting Citrix ShareFile versions up to and including 19.1. The application implements two-phase authentication where the OTP (One-Time Password) validation occurs independently of username/password verification.
Citrix ShareFile Application v.19.1
Under specific conditions, an attacker who gains access to a victim’s OTP generator (physical token or virtual app like Google Authenticator) can bypass the first phase of authentication—the username and password—and gain access by submitting only a username and valid OTP.
This behavior effectively downgrades 2FA to 1FA, allowing unauthorized access without knowing the user’s password, provided the OTP device is compromised.
Deeply analyzing this vulnerability, the flaw exists in the server’s authentication flow logic, which fails to properly enforce the required sequence of authentication phases. Specifically, the server does not verify that the user has successfully completed phase 1 (username/password) before accepting and validating phase 2 (OTP).
As a result, if an attacker gains access to a user’s offline OTP token—whether physical or virtual—they can initiate a login session by submitting only the username and a valid OTP. The server mistakenly considers the OTP sufficient for authentication, thereby bypassing password validation entirely.
It is important to note that this vulnerability is only exploitable when:
The OTP is generated offline, using a pre-configured shared secret (TOTP/HOTP).
The server does not tie OTP validation to a prior successful username/password authentication.
OTPs are not generated on demand and sent dynamically (e.g., via SMS or voice).
Exploitation Steps
Here is how the vulnerability can be exploited:
Attacker obtains access to the victim’s OTP source (Google Authenticator, physical token, etc.).
Intercept or recreate a login request, even with invalid or garbage values for the username and password fields.
Modify the request to insert the valid victim’s username and current OTP in place of the original credentials.
Send the modified request to the server.
Server validates OTP without verifying if username/password was correct—granting access.
This attack relies on the incorrect server-side assumption that OTP alone is a sufficient condition for authentication success.
Below are provided detailed requests used in order to exploit this vulnerability. In first instance, an attacker is able to intercept the log-in request with garbage data and use this request as base for the attack, changing the OTP and Password parameters
![]() |
Phase 1 default log-in request and response |
Request modifications:
op=webflow-verify and code=[OTP]
![]() |
Evil phase 2 request with modified parameters |
The following image serves as evidence of unauthorized access to the web application by exploiting this vulnerability:
![]() |
Unauthorized access to the application |
Recommended Mitigations:
Review and correct authentication logic to ensure OTP validation is only triggered after successful password verification.
Enforce strict sequencing of authentication phases in all login flows.
Log and alert on any login attempts where OTP is accepted without prior successful password authentication.
Consider implementing risk-based authentication to detect and block anomalous login flows.
Educate users on safeguarding their OTP tokens and treating them as sensitive credentials.
This issue emphasizes the importance of strong backend enforcement of authentication phases, especially in systems relying on token-based 2FA. Organizations should review their implementations immediately to ensure that OTP validation cannot occur independently of password verification. Our team is available to assist with auditing or remediation support as needed.
Conclusion
This vulnerability represents a significant break in the two-factor authentication model, where possession of an OTP device becomes the only required factor, completely bypassing password-based identity verification.
Reporting Information:
Affected Versions: Citrix ShareFile through 19.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-7218