CVE-2025-41066 is a vulnerability identified in Horde Groupware version 5.2.22, categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw arises from the application’s handling of HTTP requests to the /imp/attachment.php endpoint with specific parameters 'id' and 'u'. When an attacker sends a request with these parameters, the server’s response behavior reveals whether the specified user exists: if the user exists, the server returns an empty file download; if not, no download occurs. This difference in response enables unauthenticated attackers to enumerate valid user accounts on the system without any authentication or user interaction. User enumeration is a critical step in targeted attacks, as it allows adversaries to identify valid usernames for subsequent password guessing, phishing campaigns, or social engineering attacks. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting its medium severity due to ease of exploitation (network accessible, no privileges or user interaction required) and the limited scope of impact (information disclosure only). No patches or exploits are currently publicly available, but the vulnerability is officially published and should be addressed promptly. The vulnerability does not directly compromise confidentiality, integrity, or availability of data but significantly lowers the barrier for attackers to perform further attacks by confirming valid user accounts.

For European organizations, the primary impact of CVE-2025-41066 lies in the facilitation of reconnaissance activities by attackers. By enumerating valid user accounts, adversaries can tailor phishing campaigns, credential stuffing, or brute force attacks more effectively, increasing the risk of account compromise. This is particularly concerning for organizations handling sensitive or regulated data, such as government agencies, financial institutions, and healthcare providers, where user account compromise can lead to data breaches or unauthorized access to critical systems. Additionally, the exposure of valid usernames can damage organizational reputation and trust. Since Horde Groupware is used for collaboration and communication, compromised accounts could lead to further lateral movement within networks. The vulnerability’s ease of exploitation and unauthenticated access make it a low barrier threat that can be exploited remotely. European entities relying on Horde Groupware 5.2.22 should consider this vulnerability a significant risk vector in their threat landscape.

1. Apply official patches or updates from the Horde project as soon as they become available to remediate the vulnerability. 2. In the absence of patches, implement web application firewall (WAF) rules to detect and block requests to /imp/attachment.php containing the 'id' and 'u' parameters from untrusted sources. 3. Restrict access to the Horde Groupware interface and related endpoints to trusted IP ranges or via VPN to reduce exposure. 4. Enable detailed logging and monitoring of HTTP requests to detect patterns indicative of user enumeration attempts, such as repeated requests with varying 'u' parameter values. 5. Implement rate limiting on the vulnerable endpoint to hinder automated enumeration attempts. 6. Educate users and administrators about the risks of user enumeration and encourage strong password policies and multi-factor authentication to mitigate risks from subsequent attacks. 7. Conduct regular security assessments and penetration testing focusing on user enumeration and related vulnerabilities in collaboration tools.