CVE-2025-67807
Username Enumeration in Sage DPW Login Allows Account Disclosure
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sagedpw | sage_dpw | 2025_06_004 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows enumeration of existing accounts by distinguishing valid from invalid usernames during login attempts. Such account enumeration can increase the risk of unauthorized access or targeted attacks, potentially leading to exposure of personal or sensitive information.
As a result, this vulnerability could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and access controls to prevent unauthorized disclosure or access.
However, the impact may be mitigated in newer versions where on-premise administrators can toggle this behavior.
Can you explain this vulnerability to me?
The vulnerability exists in the login mechanism of Sage DPW versions before 2021_06_000. It causes the system to display different responses depending on whether a username is valid or invalid. This behavior allows an attacker to enumerate or discover existing user accounts by observing these distinct responses.
In newer versions, on-premise administrators have the ability to toggle this behavior to prevent such enumeration.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to identify valid usernames on the affected system by analyzing the different responses during login attempts. Knowing valid usernames is often a first step in targeted attacks such as password guessing, phishing, or social engineering.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability allows enumeration of existing accounts due to distinct responses for valid and invalid usernames in Sage DPW versions before 2021_06_000.
On-premise administrators can mitigate this issue by toggling the login mechanism behaviour in newer versions to prevent username enumeration.