The Sage DPW application returns distinguishable responses for valid and invalid login usernames. This behavioural difference allows an attacker to probe the system and confirm whether a specific account exists. The weakness aligns with CWE‑203 (Information Exposure through Data or Metadata) and CWE‑204 (Information Exposure through Attribute or Unintended Information Leak). Account enumeration can be leveraged for targeted social‑engineering, credential‑guessing, or to locate privileged accounts, thereby increasing the adversary’s success probability.

All Sage DPW installations that run a build before the 2021_06_000 release are affected. In those older deployments the enumeration behaviour cannot be disabled. Newer releases introduced a configuration option that lets on‑premise administrators suppress the distinct login responses. The publicly listed CPE refers to the 2025_06_004 build, which includes this toggle feature.

The CVSS score of 3.7 places the issue in the low‑severity range, and the EPSS score of less than 1% indicates a very low probability of exploitation as of the current data. It is not listed in CISA’s KEV catalog. Exploitation requires access to the web‑based login page, a function that is generally reachable by anyone who can reach the Sage DPW instance. It is inferred that the likely attack vector is remote via the HTTP interface. Because the impact is limited to identifying user existence, the overall risk is modest, though the vulnerability remains actionable for security teams that need to protect user information.