CVE-2025-27451

Summary

For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.

Affected Software

VendorProductVersion RangeStatus
Endress+HauserEndress+Hauser MEAC300-FNADE40 <= <=0.16.0affected
Endress+HauserEndress+Hauser MEAC300-FNADE4>=0.17.0unaffected

Weaknesses

  • CWE-204: CWE-204 Observable Response Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References