CVE-2025-67806

| EUVD-2025-209166 LOW
2026-04-01 mitre GHSA-7h2g-p6hq-vh75
3.7
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 01, 2026 - 15:30 vuln.today
EUVD ID Assigned
Apr 01, 2026 - 15:30 euvd
EUVD-2025-209166
CVE Published
Apr 01, 2026 - 00:00 nvd
LOW 3.7

Tags

Information Disclosure

Description

The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.

Analysis

Sage DPW versions before 2021_06_000 leak valid username existence through differential login response timing and messaging, enabling account enumeration without authentication. The vulnerability has a low CVSS score (3.7) reflecting limited confidentiality impact and high attack complexity, though it reduces the security barrier for subsequent targeted attacks against known valid accounts. No active exploitation has been confirmed.

Technical Context

The vulnerability stems from a classic information disclosure flaw in authentication mechanisms where the login endpoint returns distinguishable responses for valid versus invalid usernames. This allows an unauthenticated attacker to enumerate valid user accounts by observing timing differences, error messages, or HTTP response codes during failed login attempts. Sage DPW is an on-premise data processing and workflow management system; the affected versions (pre-2021_06_000) do not provide administrative controls to disable this enumeration vector. The CWE classification was not provided in the advisory data, though this pattern typically falls under CWE-203 (Observable Discrepancy) or CWE-640 (Weak Password Recovery Mechanism Validation).

Affected Products

Sage DPW versions before 2021_06_000 are affected by this vulnerability. The exact product name, major version series, and release date mapping were not fully specified in the available data. According to the vendor website (sagedpw.at), remediation is available in version 2021_06_000 and later, where on-premise administrators can toggle the enumeration behavior via configuration controls. Organizations running Sage DPW 2021_06_004 or earlier should treat this as applicable.

Remediation

Upgrade Sage DPW to version 2021_06_000 or later, which includes administrative controls to disable username enumeration in the login mechanism. If immediate upgrade is not feasible, consult the Sage DPW administrator documentation (https://www.sagedpw.at/) for guidance on firewall or reverse-proxy rules that can normalize login error responses or rate-limit enumeration attempts. Implement account lockout policies and monitor failed login attempts for patterns consistent with username enumeration attacks.

Priority Score

19
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +18
POC: 0

Share

CVE-2025-67806 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy