Skip to main content

CVE-2025-67806

| EUVD-2025-209166 LOW
Observable Discrepancy (CWE-203)
2026-04-01 mitre GHSA-7h2g-p6hq-vh75
Information Disclosure
3.7
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 15:30 euvd
EUVD-2025-209166
Analysis Generated
Apr 01, 2026 - 15:30 vuln.today
CVE Published
Apr 01, 2026 - 00:00 nvd
LOW 3.7

DescriptionNVD

The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.

AnalysisAI

Sage DPW versions before 2021_06_000 leak valid username existence through differential login response timing and messaging, enabling account enumeration without authentication. The vulnerability has a low CVSS score (3.7) reflecting limited confidentiality impact and high attack complexity, though it reduces the security barrier for subsequent targeted attacks against known valid accounts. No active exploitation has been confirmed.

Technical ContextAI

The vulnerability stems from a classic information disclosure flaw in authentication mechanisms where the login endpoint returns distinguishable responses for valid versus invalid usernames. This allows an unauthenticated attacker to enumerate valid user accounts by observing timing differences, error messages, or HTTP response codes during failed login attempts. Sage DPW is an on-premise data processing and workflow management system; the affected versions (pre-2021_06_000) do not provide administrative controls to disable this enumeration vector. The CWE classification was not provided in the advisory data, though this pattern typically falls under CWE-203 (Observable Discrepancy) or CWE-640 (Weak Password Recovery Mechanism Validation).

RemediationAI

Upgrade Sage DPW to version 2021_06_000 or later, which includes administrative controls to disable username enumeration in the login mechanism. If immediate upgrade is not feasible, consult the Sage DPW administrator documentation (https://www.sagedpw.at/) for guidance on firewall or reverse-proxy rules that can normalize login error responses or rate-limit enumeration attempts. Implement account lockout policies and monitor failed login attempts for patterns consistent with username enumeration attacks.

Share

CVE-2025-67806 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy