CVE-2025-67807

| EUVD-2025-209168 MEDIUM
2026-04-01 mitre
4.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 16:00 euvd
EUVD-2025-209168
Analysis Generated
Apr 01, 2026 - 16:00 vuln.today
CVE Published
Apr 01, 2026 - 00:00 nvd
MEDIUM 4.7

Tags

Information Disclosure

Description

The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behaviour in newer versions.

Analysis

Sage DPW 2025_06_004 and earlier versions enable username enumeration through differential login responses, allowing remote attackers to discover valid user accounts without authentication. The vulnerability affects all versions before 2021_06_000, though on-premise administrators in newer versions can disable this behavior through configuration options.

Technical Context

The vulnerability is a classic username enumeration flaw stemming from information disclosure in the authentication mechanism. The login system returns distinguishable responses for valid versus invalid usernames, violating the principle of consistent error messaging. This allows attackers to systematically probe the application to identify existing accounts. The affected product is Sage DPW (a financial/accounting solution based on the domain sagedpw.at), and the flaw affects versions prior to 2021_06_000. The root cause appears to be insufficient abstraction in error handling during the authentication process, where the application inadvertently leaks information about account existence through response differentiation.

Affected Products

Sage DPW versions before 2021_06_000 are affected by this vulnerability. The most recent affected version mentioned is 2025_06_004, which appears to indicate a calendar-versioning scheme (YYYY_MM_build). All versions prior to 2021_06_000 display the enumeration behavior. Sage DPW is a financial/accounting software solution; additional details on specific deployments (cloud-hosted vs. on-premise) and product variants should be confirmed via the vendor advisory at https://www.sagedpw.at/.

Remediation

Upgrade Sage DPW to version 2021_06_000 or later, which includes the ability for on-premise administrators to configure consistent login error responses. For organizations unable to upgrade immediately, on-premise administrators with access to newer versions should enable the configuration option to suppress username enumeration feedback. For versions before 2021_06_000, implement compensating controls such as IP-based rate limiting on login attempts, enforcing CAPTCHA after repeated failures, and monitoring for systematic account enumeration patterns. Consult the vendor advisory at https://www.sagedpw.at/ for specific remediation guidance and patch availability.

Priority Score

24
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +24
POC: 0

Share

CVE-2025-67807 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy