CVE-2025-54477 is a vulnerability identified in the Joomla! CMS, specifically affecting versions 4.0.0 through 4.4.13 and 5.0.0 through 5.3.3. The issue arises from improper handling of authentication requests within the passkey authentication method, leading to a user enumeration vector. User enumeration vulnerabilities occur when an attacker can distinguish valid usernames or accounts from invalid ones based on system responses or observable discrepancies during authentication attempts. In this case, the passkey authentication method—likely a modern authentication mechanism designed to enhance security—fails to uniformly handle authentication failures, thereby leaking information about the existence of user accounts. This vulnerability is categorized under CWE-203 (Observable Discrepancy), which involves differences in system behavior that can be observed and exploited by attackers to gain unauthorized information. Although no CVSS score has been assigned yet and no known exploits are currently reported in the wild, the presence of such a vulnerability in a widely used CMS like Joomla! is significant. Joomla! is a popular content management system powering many websites globally, including numerous European organizations. The ability to enumerate users can be a stepping stone for further attacks such as targeted phishing, brute force password attacks, or social engineering, as attackers can focus on valid accounts rather than guessing blindly. The vulnerability affects multiple major versions of Joomla!, indicating a broad attack surface. Since it involves authentication mechanisms, the integrity and confidentiality of user credentials and access controls are at risk. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate attention by administrators.

For European organizations relying on Joomla! CMS, this vulnerability poses a moderate to high risk. User enumeration can facilitate targeted attacks against valid users, increasing the likelihood of successful credential compromise or account takeover. This is particularly critical for organizations handling sensitive data, such as government agencies, financial institutions, healthcare providers, and e-commerce platforms. The exposure of valid usernames can also aid attackers in crafting convincing phishing campaigns tailored to specific users or departments. Additionally, if attackers combine this vulnerability with other weaknesses, they could escalate their access or disrupt services. Although the vulnerability itself does not directly allow unauthorized access or code execution, it undermines the confidentiality and integrity of authentication processes. European organizations with public-facing Joomla! websites or intranet portals are especially vulnerable, as attackers can probe authentication endpoints remotely without authentication or user interaction. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details become widely known.

1. Immediate mitigation should include monitoring authentication logs for unusual or repeated failed login attempts that could indicate enumeration attempts. 2. Implement rate limiting and account lockout policies on authentication endpoints to reduce the feasibility of enumeration and brute force attacks. 3. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious authentication request patterns targeting the passkey method. 4. Where possible, disable or restrict the passkey authentication method temporarily until a patch is available, especially if it is not widely used within the organization. 5. Encourage users to enable multi-factor authentication (MFA) to mitigate risks from compromised credentials. 6. Keep Joomla! CMS installations updated and monitor the Joomla! Project’s official channels for patches or security advisories addressing this vulnerability. 7. Conduct internal security assessments and penetration tests focusing on authentication mechanisms to identify and remediate similar issues proactively. 8. Educate users about phishing risks, as user enumeration can facilitate targeted social engineering attacks.