Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2(v4.10.1).
AnalysisAI
OpenText Identity Manager versions up to 25.2 (v4.10.1) suffer from insecure cache handling that permits remote authenticated users to retrieve another user's session data, resulting in unauthorized information disclosure. An attacker with valid credentials can exploit this cache misconfiguration on both Windows and Linux deployments to access sensitive session information belonging to other authenticated users, compromising confidentiality of user sessions and potentially enabling lateral movement or privilege escalation attacks.
Technical ContextAI
This vulnerability stems from improper cache configuration in OpenText Identity Manager (CPE: cpe:2.3:a:opentext:identity_manager), classified under CWE-522 (Insufficiently Protected Credentials). The root cause involves the application's caching mechanism failing to properly isolate or encrypt session data, allowing authenticated attackers to retrieve cached credentials or session tokens belonging to other users. This affects the Identity Manager authentication and session management subsystem across both Windows and Linux platforms, indicating a platform-agnostic logic flaw rather than OS-specific weakness.
RemediationAI
Upgrade OpenText Identity Manager to version 4.10.1 Patch 01 or later as documented in the vendor release notes (https://docs.microfocus.com/doc/2159/25.2/releasenotesidentitymanager4101patch01). Until patching is completed, apply the following interim controls: (1) restrict network access to Identity Manager endpoints using firewall rules and VPN/bastion host requirements to limit authenticated user population; (2) implement cache invalidation policies and clear application cache regularly; (3) monitor authentication logs and session management audit trails for anomalous cross-user session access patterns; (4) enforce strong session timeout policies to reduce the window of exposure for cached credentials.
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209094
GHSA-97p3-hw8f-r547