CVE-2025-54129 is a medium-severity vulnerability affecting versions 11.0.4 and below of the 'issues' product within the haxtheweb ecosystem, specifically related to the HAXiam packaging wrapper for HAXcms. The vulnerability arises from an observable response discrepancy when querying user data endpoints. When a request is made for a valid user’s data, the application returns an HTTP 200 status code, whereas a request for an invalid user returns an HTTP 404 status code. This behavior allows an authenticated attacker to enumerate valid usernames by automating requests and analyzing the differing server responses. Although the vulnerability itself does not directly compromise confidentiality, integrity, or availability, it facilitates user enumeration, which can be leveraged in combination with other vulnerabilities such as missing authorization checks to perform more damaging attacks, including unauthorized defacement of user-managed microsites. The flaw is addressed in version 11.0.5 of the software. The CVSS 3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, requiring privileges, no user interaction, and limited confidentiality impact without integrity or availability impact. No known exploits are currently reported in the wild.

For European organizations using haxtheweb's HAXiam or HAXcms platforms, this vulnerability poses a risk primarily in the context of information disclosure and subsequent targeted attacks. User enumeration can enable attackers to identify valid accounts, which may be used to launch further attacks such as credential stuffing, phishing, or exploiting authorization weaknesses to deface or manipulate microsites. Given that microsites may be used for marketing, communications, or internal collaboration, unauthorized defacement or data exposure could damage organizational reputation and trust. The impact is heightened for organizations relying heavily on these platforms for public-facing content or internal microsite management. However, since exploitation requires authentication, the risk is somewhat mitigated by existing access controls. The vulnerability does not directly affect system availability or integrity but can be a stepping stone in multi-stage attacks.

Organizations should promptly upgrade affected haxtheweb 'issues' products to version 11.0.5 or later, where the vulnerability is fixed. Beyond patching, administrators should implement strict authorization checks to ensure users can only access their own data and microsites, reducing the risk of lateral attacks even if user enumeration occurs. Rate limiting and monitoring of user data requests can help detect and prevent automated brute force username enumeration attempts. Employing multi-factor authentication (MFA) for all authenticated users will further reduce the risk of account compromise. Additionally, security teams should audit existing user permissions and microsite content for unauthorized changes and implement logging and alerting for suspicious activities related to user data access. Finally, educating users about phishing and social engineering risks can mitigate follow-on attacks leveraging enumerated usernames.