CVE-2025-46047 is a user enumeration vulnerability identified in the Silverpeas platform versions 6.4.1 and 6.4.2. The vulnerability exists in the /CredentialsServlet/ForgotPassword endpoint, which is designed to handle password recovery requests. Specifically, the flaw allows remote attackers to determine valid usernames by manipulating the Login parameter. User enumeration vulnerabilities occur when an application reveals whether a username exists or not based on the system's response, enabling attackers to compile lists of valid user accounts. This information can be leveraged in subsequent attacks such as credential stuffing, brute force password attacks, or social engineering. The vulnerability does not require authentication, meaning any remote attacker can exploit it without prior access. No known exploits are currently reported in the wild, and no official patches or fixes have been linked yet. The absence of a CVSS score indicates that the vulnerability has been recently published and may not have undergone full severity assessment. However, the technical details confirm that the vulnerability is confirmed and publicly disclosed as of September 2025.

For European organizations using Silverpeas 6.4.1 or 6.4.2, this vulnerability poses a significant risk to user account confidentiality. By enumerating valid usernames, attackers can gain a foothold for targeted attacks such as phishing, password guessing, or credential stuffing, potentially leading to unauthorized access to sensitive information or internal systems. Given that Silverpeas is an enterprise collaboration platform often used in government, education, and corporate environments, the exposure of valid usernames could facilitate lateral movement within networks or data breaches. The impact is heightened in sectors with strict data protection regulations like GDPR, where unauthorized access or data leakage can result in severe legal and financial penalties. Although the vulnerability itself does not directly allow password resets or account takeover, it lowers the barrier for attackers to identify valid accounts, increasing the likelihood of successful follow-up attacks.

Organizations should immediately audit their Silverpeas installations to identify if versions 6.4.1 or 6.4.2 are in use. Until an official patch is released, administrators should consider implementing the following mitigations: 1) Introduce generic error messages on the ForgotPassword endpoint that do not reveal whether a username exists; 2) Implement rate limiting and IP throttling on password recovery requests to reduce automated enumeration attempts; 3) Enable multi-factor authentication (MFA) across all user accounts to mitigate the risk of compromised credentials; 4) Monitor logs for unusual activity patterns related to password recovery attempts; 5) Educate users about phishing and social engineering risks heightened by username enumeration; 6) If possible, temporarily disable or restrict access to the ForgotPassword functionality until a patch is available. Additionally, organizations should stay alert for official patches or updates from Silverpeas and apply them promptly once released.