CVE-2025-62181 is a user enumeration vulnerability classified under CWE-204 affecting Pegasystems Pega Infinity versions 7.1.0 through 25.1.0. The issue arises during the user authentication process when the deprecated basic-authentication feature is used. Specifically, an attacker can remotely send authentication requests with different usernames and observe subtle differences in response times or error messages. These observable discrepancies allow the attacker to infer whether a username exists in the system without needing valid credentials or user interaction. This type of vulnerability facilitates reconnaissance activities that can precede more targeted attacks such as credential stuffing or phishing. The vulnerability does not directly expose passwords or sensitive data, nor does it allow modification or denial of service. The basic-authentication feature, which is less secure, has been deprecated starting with Pega Infinity version 24.2, and organizations are encouraged to migrate to more secure authentication mechanisms like OAuth or SAML. Patches addressing this vulnerability have been released in versions 24.1.4, 24.2.4, and 25.1.1. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 5.3, indicating a medium severity level, with network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact.

For European organizations, this vulnerability primarily poses a risk of user enumeration, which can aid attackers in gathering valid usernames from Pega Infinity deployments. This reconnaissance can facilitate subsequent attacks such as credential stuffing, brute force, or social engineering campaigns targeting identified users. While the vulnerability does not directly compromise data confidentiality, integrity, or availability, the exposure of valid usernames can increase the attack surface and risk of account compromise. Organizations in sectors with high-value targets such as finance, government, healthcare, and large enterprises using Pega Infinity with basic authentication enabled are particularly at risk. The impact is heightened in environments where username disclosure can lead to further exploitation or where user credentials are reused across systems. Given that the basic-authentication feature is deprecated, continued use of this mechanism increases exposure. The vulnerability's medium severity suggests it should be addressed promptly but does not represent an immediate critical threat. However, failure to remediate could facilitate more damaging attacks leveraging the enumerated usernames.

European organizations should take the following specific actions to mitigate this vulnerability: 1) Immediately identify and inventory all Pega Infinity instances and verify if the deprecated basic-authentication feature is enabled. 2) Upgrade affected Pega Infinity installations to the patched versions 24.1.4, 24.2.4, or 25.1.1 as soon as possible to apply the official fix. 3) Disable the basic-authentication feature entirely and migrate to more secure authentication mechanisms such as OAuth 2.0, SAML, or OpenID Connect, which do not exhibit this vulnerability. 4) Implement monitoring and alerting for unusual authentication patterns that may indicate enumeration attempts, such as repeated failed logins with varying usernames. 5) Conduct user awareness training to reduce the risk of social engineering attacks that could leverage enumerated usernames. 6) Review and enforce strong password policies and consider multi-factor authentication to reduce the risk of account compromise following enumeration. 7) Regularly audit and update authentication configurations in Pega Infinity to align with security best practices and vendor recommendations. These steps go beyond generic advice by focusing on the deprecated feature removal, patch application, and enhanced detection capabilities.