CVE-2025-41066
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-02

Last updated on: 2025-12-03

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the specified user exists, the server will return the download of an empty file; if it does not exist, no download will be initiated, which unequivocally reveals the validity of the user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-02
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-12-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-41066
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
horde groupware 5.2.22
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Horde Groupware v5.2.22 allows an unauthenticated attacker to determine if a user account exists on the system. By sending an HTTP request to '/imp/attachment.php' with specific parameters ('id' and 'u'), the attacker can observe the server's response: if the user exists, the server returns an empty file download; if not, no download occurs. This behavior reveals valid user accounts without authentication.

Impact Analysis

The vulnerability can impact you by allowing attackers to enumerate valid user accounts on your Horde Groupware system without authentication. This can facilitate further targeted attacks such as phishing, brute force password attempts, or social engineering, potentially compromising user accounts and system security.

Detection Guidance

This vulnerability can be detected by sending HTTP requests to the '/imp/attachment.php' endpoint with the parameters 'id' and 'u' set to different usernames. If the server responds by initiating a download of an empty file, it indicates that the user exists; if no download occurs, the user does not exist. For example, using curl commands: curl -i 'http://<target>/imp/attachment.php?id=someid&u=validuser' and curl -i 'http://<target>/imp/attachment.php?id=someid&u=invaliduser' to compare responses.

Mitigation Strategies

Immediate mitigation steps include restricting access to the '/imp/attachment.php' endpoint, implementing authentication to prevent unauthenticated access, and monitoring for suspicious requests targeting this endpoint. Additionally, updating to a patched version of Horde Groupware when available is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41066. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart