Primary

Context

Pega Platform User Enumeration Vulnerability

Vulnerability

Patched

A user enumeration vulnerability has been identified in Pega Platform versions 7.1.0 through 25.1.0. This issue arises during the user authentication process, where variations in response times may allow a remote, unauthenticated user to ascertain the validity of usernames. The vulnerability is limited to the deprecated basic authentication feature, with more secure authentication methods recommended. Patches for this vulnerability are included in the 24.1.4, 24.2.4, and 25.1.1 releases.

Impact

Exploitation of this vulnerability allows for user enumeration, where an attacker can differentiate between valid and invalid usernames based on response times during the authentication process.

Remediation

Users can upgrade to Pega Platform versions 24.1.4, 24.2.4, or 25.1.1 to address this vulnerability. Information about the availability of these patch releases will be publicly posted on the Pega Support Center on December 10, 2025.

Added: Dec 10, 2025, 9:29 PM

Updated: Dec 10, 2025, 9:29 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

8.3

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

8.3

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pega Platform User Enumeration Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Pega Platform

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating