CVE-2025-67806
Username Enumeration Vulnerability in Sage DPW Login Mechanism
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sagedpw | sage_dpw | 2025_06_004 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to enumerate valid usernames by exploiting distinct responses in the login mechanism. This user enumeration can potentially aid further targeted attacks, which may lead to unauthorized access attempts.
While the provided information does not explicitly mention compliance impacts, user enumeration vulnerabilities can increase the risk of data breaches or unauthorized access, which may affect compliance with standards like GDPR or HIPAA that require protection of personal and sensitive information.
Mitigation options exist in newer versions where on-premise administrators can toggle the behavior to reduce this risk.
Can you explain this vulnerability to me?
CVE-2025-67806 is a user enumeration vulnerability in the login mechanism of Sage DPW versions before 2021_06_000. The login system displays different responses for valid and invalid usernames, which allows attackers to determine whether a username exists in the system.
This behavior enables unauthenticated attackers to enumerate valid user accounts by analyzing the distinct error messages or responses during login attempts.
In newer versions, on-premise administrators can toggle this behavior to prevent user enumeration.
How can this vulnerability impact me? :
This vulnerability allows attackers to identify valid usernames on the affected Sage DPW system without authentication.
Knowing valid usernames can facilitate further targeted attacks such as phishing, password guessing, or brute force attacks.
Although the CVSS v3.1 score is low (3.7), the vulnerability can still aid attackers in gathering information that compromises user privacy and system security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing the login mechanism responses for differences between valid and invalid usernames. An attacker or tester can attempt to log in with various usernames and analyze the distinct error messages or responses returned by the system to determine if user enumeration is possible.
Specific commands are not provided in the available information, but a common approach would be to use automated scripts or tools to send login requests with different usernames and analyze the response messages or HTTP status codes to identify discrepancies indicating valid accounts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading to a version of Sage DPW newer than 2021_06_000 where the vulnerability is addressed.
For on-premise installations, administrators can toggle the login mechanism behavior to disable distinct responses for valid and invalid usernames, thereby preventing user enumeration.
Additionally, monitoring and restricting login attempts and implementing strong access controls can help reduce the risk.