PatchSiren cyber security CVE debrief

CVE-2025-67806 Sagedpw CVE debrief

CVE-2025-67806 describes an account-enumeration weakness in the Sage DPW login mechanism. In affected versions, the login flow can return distinct responses for valid versus invalid usernames, which can let an attacker confirm whether an account exists. NVD rates the issue low severity (CVSS 3.7) and maps it to CWE-203/CWE-204. The record also notes that on-premise administrators can toggle this behavior in newer versions.

Vendor: Sagedpw
Product: CVE-2025-67806
CVSS: LOW 3.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-01
Original CVE updated: 2026-05-10
Advisory published: 2026-04-01
Advisory updated: 2026-05-10

Who should care

Sage DPW administrators, identity and access management owners, and security teams responsible for exposed login pages should review this issue. It is especially relevant where the application is reachable over the network or used in environments that depend on minimizing account-enumeration signals.

Technical summary

The vulnerability is an information-disclosure flaw in authentication handling: the application returns distinguishable login responses for valid and invalid usernames, enabling user/account enumeration. NVD classifies it as CWE-203 (Observable Discrepancy) and CWE-204 (Response Discrepancy), with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The supplied record also states that newer versions let on-premise administrators toggle the behavior.

Defensive priority

Low priority for immediate emergency response, but still worth scheduling because authentication enumeration can weaken login hardening and support follow-on targeting. If the affected system is exposed, confirm whether a vendor-supported setting or update can suppress the response difference.

Recommended defensive actions

Confirm the exact Sage DPW build in use and compare it with the affected version information in the CVE/NVD record.
If a newer supported release is available, apply it and review whether the login response-differentiation toggle is enabled or can be configured defensively.
Normalize authentication failure messages where the product and deployment model allow it, so valid and invalid usernames do not produce different observable outcomes.
Monitor authentication logs for repeated username-probing patterns and rate-limit or alert on suspicious login attempts.
If the login portal is externally reachable, prioritize exposure reduction and compensating controls such as access restrictions and MFA where available.

Evidence notes

This debrief is based on the supplied CVE description and NVD metadata only. The description says the issue affects Sage DPW versions before 2021_06_000, while the NVD CPE criteria shown in the source metadata references cpe:2.3:a:sagedpw:sage_dpw:2025_06_004:*:*:*:*:*:*:*, so version boundaries should be verified against vendor guidance. NVD also lists the weakness mappings CWE-203 and CWE-204 and the CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N.

Official resources

CVE-2025-67806 CVE record
CVE.org
CVE-2025-67806 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected] - Product

Publicly disclosed in the CVE record on 2026-04-01 and later modified on 2026-05-10 per the supplied timeline.