CVE-2025-62181
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-10

Last updated on: 2025-12-10

Assigner: Pegasystems Inc.

Description
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-10
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62181
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
pega platform 24.2.4
pega platform 25.1.1
pega platform 7.1.0
pega platform 24.1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a User Enumeration issue in Pega Platform versions 7.1.0 through 25.1.0. It occurs during the user authentication process where differences in response time can allow a remote unauthenticated attacker to determine if a username is valid or not. This issue only affects the deprecated basic-authentication feature, and more secure authentication mechanisms are recommended.

Impact Analysis

The vulnerability can allow a remote unauthenticated attacker to identify valid usernames by analyzing response times during authentication. This can lead to targeted attacks such as brute force or phishing against known user accounts. However, it does not directly impact confidentiality, integrity, or availability beyond leaking username validity information.

Mitigation Strategies

To mitigate this vulnerability, you should avoid using the deprecated basic-authentication feature and switch to more secure authentication mechanisms. Additionally, apply the available patches in versions 24.1.4, 24.2.4, or 25.1.1 as soon as possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart