EUVD-2025-18211
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
3Description
User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences.
Analysis
User enumeration vulnerability affecting web management interfaces where usernames are limited to device identifiers (10-digit numerical values). An unauthenticated remote attacker can enumerate valid user accounts by systematically testing digit sequences, potentially gaining information disclosure and limited system manipulation capabilities. The CVSS 8.6 rating reflects high confidentiality impact, though patch status and active exploitation details require vendor-specific assessment.
Technical Context
This vulnerability is rooted in CWE-204 (Observable Discrepancy / Information Exposure Through Discrepancy), where the authentication mechanism exhibits detectable differences between valid and invalid usernames. The underlying issue stems from poor username entropy combined with weak or absent enumeration protection mechanisms (rate limiting, account lockout delays, response time analysis resistance). Devices using sequential or predictable numerical identifiers as sole authentication credentials create a trivial enumeration surface. The web management interface likely lacks protections such as: constant-time response comparisons, progressive delays on failed attempts, CAPTCHA challenges, or account lockout policies. This is compounded by the 10-digit maximum constraint (~1 billion possible values), making brute-force enumeration computationally feasible.
Affected Products
Based on the description, affected products are web-management-enabled network devices (likely industrial, IoT, or embedded systems) that: (1) Use numerical device identifiers as usernames; (2) Limit usernames to ≤10 digits; (3) Expose management interfaces over HTTP/HTTPS without enumeration protections. Without vendor-specific CVE references or CPE strings provided in the query, specific products cannot be named. Vendors must publish advisories identifying affected product families and firmware versions. Typical vulnerable categories include: industrial control devices (PLCs, gateways), networked appliances, remote management interfaces, and embedded systems. Organizations should cross-reference their device inventory against vendor security advisories for CVE-2025-5485.
Remediation
Immediate remediation steps: (1) Contact vendor for patches addressing enumeration protection; (2) Apply vendor-supplied firmware updates when available—specifics depend on device manufacturer; (3) Interim mitigations: restrict management interface access via firewall rules limiting source IP ranges, implement WAF/IDS rules detecting sequential authentication attempts, enforce rate limiting on login endpoints, implement account lockout after failed attempts; (4) Administrative controls: disable default/predictable device identifiers where possible, require strong supplementary authentication (MFA), monitor authentication logs for enumeration patterns; (5) Architectural: network segmentation isolating management interfaces to trusted administrative networks. Vendors should implement enumeration defenses: constant-time username validation, progressive delays, CAPTCHAs, and consider randomized or longer usernames.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today