Delinea Cloud Suite 25.1 MFA Issues
Incident
Report for Delinea
Postmortem
Impact
Some Privileged Access Service customers with Multi-Factor Authentication (MFA) enabled were unable to log into their tenants.
Incident Overview
During a Privileged Access Service (PAS) security update on March 1, 2025, MFA stopped working for Server Suite agent versions older than 6.0.1 on Linux and Unix machines. This issue prevented users from successfully authenticating with MFA.
Root Cause
A security change in Cloud Suite 25.1, designed to prevent a form of "Request Smuggling," incorrectly flagged requests from older versions of cURL used in Server Suite agents prior to version 6.0.1. As a result, MFA authentication requests from these older agents were blocked.
Mitigation and Resolution
- The primary recommendation for affected customers is to upgrade their Server Suite agents to at least version 2023.1 (6.0.1-374).
- As an alternative, if an upgrade is not immediately possible, temporarily disabling MFA was an option.
- A hotfix applied to PAS servers on March 3, 2025, resolved the MFA issue for all agent versions. With this fix, customers do not need to make any changes to their agents. Customers who temporarily disabled MFA should re-enable it to restore security controls.
Preventative Actions
- Enhanced Compatibility Testing: Improve regression testing to validate compatibility between security updates and older agent versions.
- Customer Communication: Provide proactive guidance on agent version dependencies and upgrade recommendations ahead of major security changes.
Resolved
This incident has been resolved.
Update
The problem appears to be resolved.
Update
Delinea engineering has deployed a hotfix for this issue. MFA should be working normally again but if you still see any issues with it, please contact Delinea support at +1 (202) 991-0540.
Thank you.
Thank you.
Identified
As mentioned in the support article, we have a hotfix ready and will begin deploying it to the affected clusters shortly. During this process, you may experience intermittent connectivity loss to the service.
We appreciate your patience as we work to fully resolve the issue.
We appreciate your patience as we work to fully resolve the issue.
Update
Delinea engineering is still working to resolve this issue. In the meantime, a knowledgebase article has been created for customers to watch for additional information and any updates.
The article can be found here:
https://support.delinea.com/s/article/1741019324260
Thank you for your patience while we work through this issue.
The article can be found here:
https://support.delinea.com/s/article/1741019324260
Thank you for your patience while we work through this issue.
Update
This issue is still being worked by the Delinea engineering team. However, they have suggested 2 workarounds until a resolution is found:
1 - The top recommendation is for impacted customers to upgrade agents to at least this version 2023.1 (6.0.1-374).
2 - If unable to upgrade, an alternative option be to disable MFA temporarily.
1 - The top recommendation is for impacted customers to upgrade agents to at least this version 2023.1 (6.0.1-374).
2 - If unable to upgrade, an alternative option be to disable MFA temporarily.
Investigating
Delinea is currently working on an issue where some customers who have MFA enabled are unable to log into their servers.
We'll provide updates as we learn more.
Thank you for your patience.
We'll provide updates as we learn more.
Thank you for your patience.
This incident affected: BR (Privileged Access Service / Cloud Suite), US (Privileged Access Service / Cloud Suite), UK (Privileged Access Service / Cloud Suite), EU (Privileged Access Service / Cloud Suite), AU (Privileged Access Service / Cloud Suite), CA (Privileged Access Service / Cloud Suite), and SEA (Privileged Access Service / Cloud Suite).