CVE-2025-67806 is a vulnerability identified in the login mechanism of Sage DPW software versions before 2021_06_000. The issue arises because the login system provides distinguishable responses when a username is valid versus when it is invalid, enabling an attacker to enumerate existing accounts without authentication or user interaction. This username enumeration flaw can facilitate reconnaissance activities by attackers, potentially leading to more targeted attacks such as password guessing or social engineering. The vulnerability is rated with a CVSS 3.1 score of 3.7, reflecting low severity due to limited impact on confidentiality and no impact on integrity or availability. Notably, in newer versions of Sage DPW, on-premise administrators have the ability to toggle this behavior, mitigating the risk. There are no known exploits in the wild, and no patches or updates are explicitly linked in the provided information. The vulnerability primarily affects on-premise deployments of Sage DPW prior to version 2021_06_000, with no indication of impact on cloud or other deployment models.

The primary impact of this vulnerability is the potential disclosure of valid usernames through enumeration, which compromises confidentiality to a limited extent. While it does not directly affect system integrity or availability, the exposure of valid account names can facilitate subsequent attacks such as brute force password attempts, phishing, or social engineering campaigns. Organizations using affected versions of Sage DPW may face increased risk of targeted credential attacks, especially if combined with weak password policies or lack of multi-factor authentication. However, since exploitation does not require privileges or user interaction and the vulnerability is low severity, the immediate risk is moderate. The absence of known exploits in the wild reduces urgency but does not eliminate the need for mitigation. The impact is more significant in environments where Sage DPW is critical for business operations or where user accounts have elevated privileges.

Organizations should first verify the version of Sage DPW in use and upgrade to versions 2021_06_000 or later where the username enumeration behavior can be toggled off by on-premise administrators. If upgrading is not immediately feasible, administrators should configure the login mechanism to provide uniform responses for both valid and invalid usernames to prevent enumeration. Implementing account lockout policies or rate limiting login attempts can further reduce the risk of automated enumeration and brute force attacks. Additionally, enforcing strong password policies and deploying multi-factor authentication will mitigate the risk of credential compromise following enumeration. Monitoring login attempts for unusual patterns and employing intrusion detection systems can help identify exploitation attempts. Finally, educating users about phishing risks and suspicious login activities complements technical controls.