AuthMe Velocity is a plugin developed by 4drian3d that extends AuthMeReloaded support for networks that use Velocity as a proxy. However, in one of its latest versions, a critical exploit was discovered that allows the authentication of any user to be forced without knowing their password, putting the security of the servers that use it at risk.
The exploit works by sending a crafted plugin message through the
channel authmevelocity:main.
The attacker writes their desired username in the first UTF field and the
string "LOGIN" in the second UTF field. This message mimics
a legitimate login request handled by AuthMe Velocity, allowing the attacker
to bypass authentication without needing the correct password.
To use this exploit, you can use the proxy command in MCPTool and use the /authmevelocityexploit command. You can also use clients like MCPClient or ParadiseClient.