CVE-2025-62181
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: Pegasystems Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pega | platform | 24.2.4 |
| pega | platform | 25.1.1 |
| pega | platform | 7.1.0 |
| pega | platform | 24.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a User Enumeration issue in Pega Platform versions 7.1.0 through 25.1.0. It occurs during the user authentication process where differences in response time can allow a remote unauthenticated attacker to determine if a username is valid or not. This issue only affects the deprecated basic-authentication feature, and more secure authentication mechanisms are recommended.
How can this vulnerability impact me? :
The vulnerability can allow a remote unauthenticated attacker to identify valid usernames by analyzing response times during authentication. This can lead to targeted attacks such as brute force or phishing against known user accounts. However, it does not directly impact confidentiality, integrity, or availability beyond leaking username validity information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should avoid using the deprecated basic-authentication feature and switch to more secure authentication mechanisms. Additionally, apply the available patches in versions 24.1.4, 24.2.4, or 25.1.1 as soon as possible.