CVE-2025-67807: Sage DPW Information Disclosure Flaw

CVE-2025-67807 Overview

CVE-2025-67807 is a username enumeration vulnerability affecting Sage DPW versions before 2021_06_000. The login mechanism in Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing attackers to enumerate existing accounts on the system. This information disclosure weakness enables threat actors to identify valid user accounts, which can then be targeted in subsequent credential-based attacks such as brute force or password spraying campaigns.

Critical Impact

Attackers can enumerate valid usernames through differential login responses, enabling targeted credential attacks against confirmed accounts.

Affected Products

• Sage DPW versions before 2021_06_000
• Sage DPW 2025_06_004 (with default configuration)

Discovery Timeline

• 2026-04-01 - CVE-2025-67807 published to NVD
• 2026-04-01 - Last updated in NVD database

Technical Details for CVE-2025-67807

Vulnerability Analysis

This vulnerability falls under CWE-204 (Observable Response Discrepancy), a class of information exposure vulnerabilities where an application reveals sensitive information through variations in its behavior. In the case of Sage DPW, the login mechanism provides distinguishable error messages or response characteristics when a valid username is submitted versus an invalid one.

When an attacker attempts authentication, the system's differential response allows them to systematically probe the login endpoint to build a list of valid user accounts. This reconnaissance capability significantly reduces the effort required for subsequent attacks, as threat actors can focus credential stuffing or brute force attempts exclusively on confirmed accounts rather than guessing both usernames and passwords.

The network-based attack vector requires user interaction and has a changed scope, meaning the vulnerability can affect resources beyond the vulnerable component itself. While the immediate impact involves limited confidentiality and integrity breaches, the enumerated account information serves as a stepping stone for more severe attacks.

Root Cause

The root cause of this vulnerability is improper implementation of authentication error handling in the Sage DPW login mechanism. Rather than providing generic, uniform error messages regardless of whether a username exists, the application returns distinguishable responses that reveal username validity. Secure authentication implementations should return identical error messages such as "Invalid username or password" regardless of which credential component failed validation.

Attack Vector

The attack is executed over the network against the Sage DPW login interface. An attacker can automate requests with various usernames and analyze response differences to identify valid accounts. The differential responses may manifest as:

• Different error message text (e.g., "User not found" vs. "Invalid password")
• Variations in HTTP response codes
• Timing differences in response delivery
• Differences in response body length or structure

Once valid usernames are confirmed, attackers can proceed with targeted password attacks against known accounts, significantly improving the efficiency of credential-based attacks.

Detection Methods for CVE-2025-67807

Indicators of Compromise

• High volume of failed login attempts across multiple different usernames from a single source IP
• Sequential or alphabetical patterns in attempted usernames suggesting automated enumeration
• Rapid succession of login requests with minimal delay between attempts
• Login attempts targeting system or service account naming conventions

Detection Strategies

• Implement rate limiting detection on authentication endpoints to identify automated enumeration attempts
• Monitor for unusual patterns in authentication failures, particularly where many unique usernames are attempted from limited source addresses
• Deploy web application firewall (WAF) rules to detect and block username enumeration patterns
• Enable detailed authentication logging to capture username, timestamp, source IP, and response codes

Monitoring Recommendations

• Configure alerting on authentication endpoint traffic that exceeds baseline thresholds
• Monitor for reconnaissance patterns in SIEM platforms by correlating failed login attempts with subsequent successful authentications
• Track and alert on login attempts from known malicious IP addresses or suspicious geographic locations

How to Mitigate CVE-2025-67807

Immediate Actions Required

• Upgrade Sage DPW to version 2021_06_000 or later to access the configuration option to disable differential responses
• For on-premise deployments, toggle the username enumeration behavior setting in newer versions to return uniform error messages
• Implement account lockout policies to limit the effectiveness of enumeration attempts
• Deploy additional authentication controls such as CAPTCHA or multi-factor authentication

Patch Information

Organizations running Sage DPW versions prior to 2021_06_000 should upgrade to a supported version that includes the ability to configure uniform authentication responses. On-premise administrators can toggle the behavior setting in newer versions to prevent username enumeration. Refer to the SageDPW Website for upgrade information and additional security guidance.

Workarounds

• Implement a web application firewall (WAF) in front of the Sage DPW login endpoint to normalize error responses
• Deploy rate limiting on authentication endpoints to slow enumeration attempts
• Use network-level access controls to restrict login endpoint access to trusted IP ranges where possible
• Consider implementing CAPTCHA challenges after a threshold of failed login attempts to impede automated enumeration