CVE-2025-62181

Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.

Description

Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.

INFO

Published Date :

2025-12-10T20:41:08.517Z

Last Modified :

2025-12-11T15:32:31.153Z

Source :

Pega

AFFECTED PRODUCTS

The following products are affected by CVE-2025-62181 vulnerability.

Vendors	Products
Pegasystems	Pega Infinity

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62181.

URL	Resource
https://support.pega.com/support-doc/pega-security-advisory-j25-vulnerability-remediation-note

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact