The vulnerability arises when the Sage DPW login page returns different responses for valid versus invalid usernames. This subtle difference enables an attacker to test whether a given account exists, providing an information disclosure path that does not grant direct control but reveals user enumeration. The weakness aligns with CWE‑203, which concerns unintended information leaks through varying output. An enumerated list of users can be used for social engineering, credential guessing, or targeted attacks on privileged accounts, thus compromising confidentiality of account existence.

Sage DPW installations running the 2021_06_004 build or earlier – specifically versions predating 2021_06_000 – are impacted. The vulnerability is identified in the Sage DPW product as published under the CPE 2025_06_004. On‑premise administrators have the ability to toggle the enumeration behavior in newer releases, but before version 2021_06_000 the feature cannot be disabled, leaving all such deployments susceptible.

The CVSS score of 3.7 places the issue in the low‑severity range, and the EPSS score of less than 1% indicates a very low probability of exploitation as of the current data. It is not listed in CISA’s KEV catalog. While the exploit requires only access to the web‑based login interface – a route likely available to anyone who can reach the Sage DPW instance – the impact is limited to account enumeration. Consequently the overall risk is modest, yet the vulnerability remains actionable for security teams that need to protect user information.