CVE-2025-0693

Summary

Variable response times in the AWS Sign-in IAM user login flow allowed for the use of brute force enumeration techniques to identify valid IAM usernames in an arbitrary AWS account.

Affected Software

VendorProductVersion RangeStatus
AWSAWS Sign-in IAM Login FlowN/Aaffected

Weaknesses

  • CWE-204: CWE-204: Observable Response Discrepancy
  • CWE-208: CWE-208: Observable Timing Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References