CVE-2025-62181
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-62181, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-10

Last updated on: 2025-12-10

Assigner: Pegasystems Inc.

Description

Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-10
Last Modified
2025-12-10
Generated
2026-07-06
AI Q&A
2025-12-11
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
pega platform 24.2.4
pega platform 25.1.1
pega platform 7.1.0
pega platform 24.1.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a User Enumeration issue in Pega Platform versions 7.1.0 through 25.1.0. It occurs during the user authentication process where differences in response time can allow a remote unauthenticated attacker to determine if a username is valid or not. This issue only affects the deprecated basic-authentication feature, and more secure authentication mechanisms are recommended.

Impact Analysis

The vulnerability can allow a remote unauthenticated attacker to identify valid usernames by analyzing response times during authentication. This can lead to targeted attacks such as brute force or phishing against known user accounts. However, it does not directly impact confidentiality, integrity, or availability beyond leaking username validity information.

Mitigation Strategies

To mitigate this vulnerability, you should avoid using the deprecated basic-authentication feature and switch to more secure authentication mechanisms. Additionally, apply the available patches in versions 24.1.4, 24.2.4, or 25.1.1 as soon as possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart