Revive Adserver Username Validation Bypass Vulnerability Allowing Impersonation

A vulnerability in Revive Adserver's username handling has been reported, allowing impersonation attacks to bypass the previous fix for CVE-2025-52672. This issue arises from inadequate validation of usernames during account registration, particularly concerning Unicode characters that can be visually deceptive. The vulnerability is present in all versions of Revive Adserver that include the flawed username validation logic.

Impact

Exploitation of this vulnerability can lead to unauthorized account creation that mimics existing users, particularly administrators. This not only bypasses username uniqueness requirements but also facilitates account enumeration and impersonation attacks, with potential for phishing and credential harvesting.

Reproduction

The vulnerability can be reproduced by registering a new account with a username that includes a zero-width space, a right-to-left override character, or a Cyrillic homograph that resembles a Latin character. These usernames can bypass the application's validation checks and create accounts that are visually indistinguishable from legitimate ones.

Remediation

Revive Adserver has released a patch that replaces the vulnerable validation pattern with a more effective whitelist approach. Instructions for applying this patch can be found in the Revive Adserver security advisory.