CVE-2025-24391 is a medium-severity vulnerability affecting multiple versions of the OTRS ticketing and service management software, specifically versions 7.0.x, 8.0.x, 2023.x, 2024.x, and 2025.x. The vulnerability arises from an observable discrepancy in the External Interface of OTRS, where different HTTP response codes and messages are returned based on whether a user account exists or not. This behavior enables an attacker to perform user enumeration attacks by systematically probing the interface with various email addresses and analyzing the server's responses to infer valid accounts. The vulnerability is classified under CWE-203 (Observable Discrepancy), indicating that the system leaks information through inconsistent responses. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L) without affecting integrity or availability. No known exploits are reported in the wild as of the publication date (July 14, 2025), and no patches have been linked yet. This vulnerability primarily compromises confidentiality by allowing attackers to enumerate valid user email addresses, which can be leveraged for targeted phishing, social engineering, or further attacks against identified users.

For European organizations using OTRS versions affected by this vulnerability, the primary impact is the exposure of valid user email addresses through user enumeration. This can facilitate targeted phishing campaigns, spear-phishing, and social engineering attacks, increasing the risk of credential compromise or unauthorized access. While the vulnerability does not directly allow system compromise or data manipulation, the leakage of user existence information undermines privacy and can be a stepping stone for more severe attacks. Organizations in sectors with sensitive customer or employee data, such as finance, healthcare, and government, are particularly at risk. The medium severity rating suggests that while the vulnerability is not critical, it still poses a meaningful threat to confidentiality and should be addressed promptly to reduce the attack surface and protect user information.

To mitigate CVE-2025-24391, organizations should implement the following specific measures: 1) Apply any official patches or updates released by OTRS AG as soon as they become available to address the discrepancy in HTTP responses. 2) If patches are not yet available, configure the external interface to standardize HTTP response codes and messages for both valid and invalid user queries, thereby eliminating observable differences that enable enumeration. 3) Implement rate limiting and anomaly detection on the external interface to detect and block automated enumeration attempts. 4) Employ web application firewalls (WAFs) with custom rules to identify and mitigate suspicious probing behavior targeting user enumeration. 5) Educate users and administrators about the risks of phishing and social engineering, emphasizing vigilance against suspicious emails that may result from leaked user information. 6) Regularly audit logs for unusual access patterns or repeated failed attempts to enumerate users. These steps go beyond generic advice by focusing on response standardization, proactive detection, and user awareness tailored to this specific vulnerability.