Description
The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behaviour in newer versions.
Published: 2026-04-01
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Enumeration via Login Response Discrimination
Action: Mitigate
AI Analysis

Impact

This vulnerability enables an attacker to determine whether a username exists in the system by analyzing the difference in responses returned by the login mechanism. The distinct responses for valid versus invalid usernames expose a privacy compromise and can be leveraged to gather a list of valid accounts. The weakness is categorized under CWE-204: Information Exposure Through Unintended Data Disclosure.

Affected Systems

Sage DPW versions prior to 2021_06_000 are affected, including the 2025_06_004 release used by on‑premise environments. On‑premise administrators have the ability to toggle this behavior in newer releases, thus mitigating the issue for current deployments.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, with an EPSS scoring below 1 % and no listing in the CISA KEV catalog. The likely attack vector is a network‑based login attempt to the Sage DPW authentication endpoint. While successful enumeration does not directly grant credential compromise, it facilitates targeted credential stuffing or phishing attacks, thereby increasing the overall threat to confidentiality and potentially enabling further exploitation once credentials are obtained.

Generated by OpenCVE AI on April 7, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enable the account enumeration suppression setting in the Sage DPW configuration for installations on or before version 2021_06_000
  • Upgrade to Sage DPW 2021_06_000 or later and verify the enumeration toggle is disabled
  • If operating a newer version, confirm the enumeration suppression feature is active via the administration console
  • Monitor login attempt logs for suspicious patterns and enforce rate limiting or account lockout policies

Generated by OpenCVE AI on April 7, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Account Enumeration via Login Response Discrimination in Sage DPW

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Sagedpw
Sagedpw sage Dpw
CPEs cpe:2.3:a:sagedpw:sage_dpw:2025_06_004:*:*:*:*:*:*:*
Vendors & Products Sagedpw
Sagedpw sage Dpw

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Account Enumeration via Login Response Discrimination in Sage DPW
First Time appeared Sage
Sage dpw
Vendors & Products Sage
Sage dpw

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behaviour in newer versions.
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Sage Dpw
Sagedpw Sage Dpw
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T19:19:19.721Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67807

cve-icon Vulnrichment

Updated: 2026-04-01T19:16:15.937Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T16:23:48.470

Modified: 2026-04-07T19:22:34.767

Link: CVE-2025-67807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:01Z

Weaknesses