CVE-2025-3092

| EUVD-2025-19011 HIGH
Observable Response Discrepancy (CWE-204)
2025-06-24 [email protected]
Information Disclosure
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:36 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.18.0,2.16.5
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19011
CVE Published
Jun 24, 2025 - 09:15 nvd
HIGH 7.5

DescriptionNVD

An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.

AnalysisAI

CVE-2025-3092 is an unauthenticated user enumeration vulnerability affecting an unprotected endpoint that allows remote attackers to discover valid usernames without authentication or user interaction. The vulnerability has a CVSS score of 7.5 (High) with a vector indicating network-based attack with low complexity and no privileges required, resulting in high confidentiality impact. While the description does not specify affected product versions, CPE strings, or KEV/EPSS data, the high CVSS and information disclosure nature suggest this requires urgent patching in affected systems where user enumeration could enable follow-up attacks like credential brute-forcing or targeted social engineering.

Technical ContextAI

This vulnerability exploits improper information disclosure (CWE-204: Observable Discrepancy) through an unauthenticated endpoint, likely an API, web service, or authentication mechanism that inadvertently leaks user existence information. The root cause stems from a failure to implement consistent error handling and response obfuscation across login, registration, password recovery, or user lookup endpoints. Common implementations vulnerable to this pattern include: endpoints that return different HTTP status codes or response times for valid vs. invalid usernames, endpoints exposing user metadata without authentication checks, or APIs that fail to implement rate limiting and response anonymization. Without specific CPE data provided, the vulnerability likely affects web applications, authentication frameworks, or identity management systems deployed across multiple vendors. The CWE-204 classification indicates the flaw is the observable difference in system behavior that leaks information, not necessarily a flaw in cryptography or access control itself.

RemediationAI

Specific patch versions and vendor advisories are NOT provided in the CVE data. General remediation for user enumeration (CWE-204) includes: (1) Implement consistent response behavior—return identical HTTP status codes and response times regardless of whether a username exists (e.g., always respond with 'Invalid credentials' for both invalid username and invalid password), (2) Add rate limiting and CAPTCHA challenges to prevent brute-force enumeration, (3) Implement account lockout policies after failed attempts, (4) Log and monitor enumeration attempts for intrusion detection, (5) Remove or hide user-related metadata from public endpoints (user profiles, directory listings), (6) Use timing-attack resistant password verification functions. Immediate actions: (1) consult vendor security advisories linked from CVE-2025-3092 entries on NVD/Mitre for specific patch versions, (2) apply patches immediately to all affected instances, (3) conduct an audit of authentication endpoints for similar enumeration vectors, (4) implement WAF rules to block bulk username enumeration patterns. If patches are unavailable, deploy a reverse proxy or WAF with response normalization rules.

Share

CVE-2025-3092 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy