CVE-2025-27451
BaseFortify
Publication date: 2025-07-03
Last updated on: 2026-02-06
Assigner: SICK AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| endress | meac300-fnade4_firmware | to 0.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because the application returns different error messages for failed login attempts depending on whether the username does not exist or the password is incorrect. This behavior allows an attacker to determine which usernames are valid by trying different usernames and observing the error messages.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to enumerate valid usernames on your system. This information can be used to facilitate further attacks, such as targeted password guessing or social engineering.