CVE-2025-67807
Received Received - Intake
Username Enumeration in Sage DPW Login Allows Account Disclosure

Publication date: 2026-04-01

Last updated on: 2026-04-07

Assigner: MITRE

Description
The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behaviour in newer versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67807
EUVD
EUVD-2025-209168
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sagedpw sage_dpw 2025_06_004
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the login mechanism of Sage DPW versions before 2021_06_000. It causes the system to display different responses depending on whether a username is valid or invalid. This behavior allows an attacker to enumerate or discover existing user accounts by observing these distinct responses.

In newer versions, on-premise administrators have the ability to toggle this behavior to prevent such enumeration.

Impact Analysis

This vulnerability can allow an attacker to identify valid usernames on the affected system by analyzing the different responses during login attempts. Knowing valid usernames is often a first step in targeted attacks such as password guessing, phishing, or social engineering.

Mitigation Strategies

The vulnerability allows enumeration of existing accounts due to distinct responses for valid and invalid usernames in Sage DPW versions before 2021_06_000.

On-premise administrators can mitigate this issue by toggling the login mechanism behaviour in newer versions to prevent username enumeration.

Compliance Impact

This vulnerability allows enumeration of existing accounts by distinguishing valid from invalid usernames during login attempts. Such account enumeration can increase the risk of unauthorized access or targeted attacks, potentially leading to exposure of personal or sensitive information.

As a result, this vulnerability could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and access controls to prevent unauthorized disclosure or access.

However, the impact may be mitigated in newer versions where on-premise administrators can toggle this behavior.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67807. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart