CVE-2025-45994 is a security vulnerability identified in Aranda PassRecovery version 1.0, a tool that integrates with Active Directory environments. The vulnerability allows an attacker to enumerate valid user accounts within an Active Directory domain by sending a specially crafted POST request to the endpoint /user/existdirectory/1. This endpoint appears to respond differently based on whether the submitted username exists in the directory, thereby enabling an attacker to confirm the presence or absence of specific user accounts. User enumeration vulnerabilities do not directly allow unauthorized access but provide attackers with critical reconnaissance information, which can be leveraged in subsequent attacks such as password guessing, phishing, or targeted exploitation. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers. There are no known exploits in the wild at the time of publication, and no patches or fixes have been documented yet. The lack of a CVSS score indicates that the vulnerability has not been fully assessed for severity, but the technical details confirm that the flaw is in the information disclosure category. Since Aranda PassRecovery interacts with Active Directory, the vulnerability could expose sensitive user account information within enterprise environments that rely on this software for password recovery or user management tasks.

For European organizations, this vulnerability poses a significant risk primarily in terms of information disclosure and reconnaissance. Active Directory is widely used across Europe in enterprises, government agencies, and critical infrastructure sectors. The ability to enumerate valid user accounts can facilitate targeted attacks such as credential stuffing, brute force password attacks, or social engineering campaigns. This can lead to unauthorized access, data breaches, and potential lateral movement within networks. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and public administration, may face regulatory and reputational consequences if attackers leverage this vulnerability to compromise user accounts. Additionally, the exposure of valid usernames can aid attackers in crafting more convincing phishing emails, increasing the likelihood of successful compromise. Although the vulnerability does not directly allow privilege escalation or code execution, it lowers the barrier for attackers to identify high-value targets within an organization’s Active Directory environment.

To mitigate this vulnerability, European organizations using Aranda PassRecovery v1.0 should first verify if they are running the affected version and monitor vendor communications for patches or updates addressing CVE-2025-45994. In the absence of an official patch, organizations should consider the following specific measures: 1) Restrict access to the /user/existdirectory/1 endpoint by implementing network-level controls such as IP whitelisting or VPN-only access to limit exposure to trusted users. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous POST requests targeting this endpoint, particularly those that attempt to enumerate usernames. 3) Implement rate limiting and anomaly detection on authentication and user enumeration endpoints to hinder automated scanning attempts. 4) Conduct regular Active Directory auditing and monitoring to detect unusual login attempts or reconnaissance activities. 5) Educate users about phishing risks, as attackers may use enumerated usernames to craft targeted social engineering attacks. 6) Consider deploying multi-factor authentication (MFA) across all user accounts to reduce the risk of account compromise even if usernames are known. 7) If feasible, disable or restrict the use of Aranda PassRecovery until a patch is available or alternative solutions are implemented.