CVE-2025-66307 affects the Grav content management system's admin plugin, specifically versions prior to 1.11.0-beta.1. The vulnerability arises from an observable response discrepancy in the 'Forgot Password' feature located at /admin/forgot. When a request is made to reset a password, the server responds differently depending on whether the submitted username exists in the system. This discrepancy enables an attacker to enumerate valid usernames and retrieve associated email addresses. The vulnerability is classified under CWE-204 (Observable Response Discrepancy), which involves information leakage through differences in system responses. By enumerating users and their emails, attackers can craft targeted phishing campaigns, conduct password spraying attacks, or perform social engineering to gain further access. The vulnerability requires no authentication or user interaction, making it straightforward to exploit remotely over the network. The CVSS 3.1 base score is 6.5, indicating a medium severity level with network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality and availability impact. The flaw does not directly compromise system integrity or allow unauthorized password resets but leaks sensitive user information that can be leveraged in follow-on attacks. The issue was addressed and fixed in Grav version 1.11.0-beta.1, which removes the response discrepancy and prevents user enumeration and email disclosure.

For European organizations using Grav CMS versions prior to 1.11.0-beta.1, this vulnerability poses a significant risk of user enumeration and email disclosure. The leaked information can be exploited to launch targeted phishing campaigns, which are a common vector for credential theft and malware delivery. Password spraying attacks facilitated by valid username enumeration can lead to account compromise, especially if users reuse passwords or use weak credentials. Social engineering attacks leveraging disclosed email addresses can increase the likelihood of successful breaches. While the vulnerability does not directly allow system takeover or data modification, it lowers the attacker's effort to identify valid accounts and craft convincing attacks. Organizations in sectors with high-value targets, such as finance, government, healthcare, and critical infrastructure, may face elevated risks. The availability of the vulnerability over the network without authentication increases exposure, especially for publicly accessible Grav admin interfaces. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure. Overall, the vulnerability facilitates reconnaissance and initial access phases of cyberattacks, which can lead to more severe consequences if combined with other vulnerabilities or weak security controls.

European organizations should immediately upgrade Grav CMS to version 1.11.0-beta.1 or later to remediate this vulnerability. If upgrading is not immediately feasible, organizations should implement compensating controls such as restricting access to the /admin/forgot endpoint via IP whitelisting or VPN-only access to limit exposure. Implementing web application firewalls (WAFs) with custom rules to detect and block user enumeration patterns can reduce exploitation risk. Monitoring logs for repeated requests to the password reset functionality and anomalous access patterns can help detect reconnaissance attempts. Organizations should also enforce strong password policies and multi-factor authentication (MFA) for admin accounts to mitigate the impact of credential-based attacks. User awareness training focused on phishing and social engineering risks is critical to reduce the effectiveness of attacks leveraging disclosed email addresses. Regular vulnerability scanning and penetration testing should include checks for user enumeration vulnerabilities. Finally, ensure that all software components are kept up to date with security patches to prevent exploitation of known vulnerabilities.