CVE-2025-24487 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-24487?

CVE-2025-24487 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows unauthenticated attackers to determine which usernames exist in a system by querying a specific API. This affects systems running vulnerable versions of the software that expose the affected API endpoint. The information disclosure can facilitate further attacks.

📋 TL;DR

This vulnerability allows unauthenticated attackers to determine which usernames exist in a system by querying a specific API. This affects systems running vulnerable versions of the software that expose the affected API endpoint. The information disclosure can facilitate further attacks.

💻 Affected Systems

Products:

Specific product names not provided in CVE description

Versions: Version range not specified in provided information

Operating Systems: Not specified

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when API endpoint is accessible. Check vendor advisory for specific product details.

📦 What is this software?

Cloud Portal by Growatt

View all CVEs affecting Cloud Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers build targeted credential stuffing or brute-force attacks using valid usernames, potentially leading to account compromise and lateral movement.

🟠

Likely Case

Attackers enumerate valid usernames to create targeted phishing campaigns or prepare for credential attacks against known accounts.

🟢

If Mitigated

Limited to username enumeration only, with no direct access to passwords or sensitive data if proper authentication controls exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple API queries can reveal username existence through timing differences or error message variations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04

Restart Required: No

Instructions:

1. Review vendor advisory for specific patch information. 2. Apply available patches according to vendor instructions. 3. Verify the fix by testing the API endpoint.

🔧 Temporary Workarounds

API Endpoint Restriction

all

Restrict access to the vulnerable API endpoint using network controls or authentication.

Rate Limiting

all

Implement rate limiting on the API endpoint to slow down enumeration attempts.

🧯 If You Can't Patch

Implement network segmentation to restrict API access to trusted sources only
Deploy web application firewall rules to detect and block username enumeration patterns

🔍 How to Verify

Check if Vulnerable:

Test API endpoint with known and unknown usernames; observe if responses differ indicating username existence.

Check Version:

Check vendor documentation for version identification commands specific to affected product.

Verify Fix Applied:

After applying controls, test that API responses no longer reveal username existence through timing or error differences.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts with different usernames
Unusual API query patterns to user-related endpoints

Network Indicators:

High volume of requests to specific API endpoint from single source
Pattern of requests with incremental username variations

SIEM Query:

source_ip=* AND (uri_path CONTAINS "/api/user" OR uri_path CONTAINS "/auth") AND status_code=200 AND count>100 within 5min

📊 Metadata

CVE ID: CVE-2025-24487

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-639

EPSS Score: 0.27% exploit probability (50.3th percentile)

Published: April 15, 2025

Last Updated: November 12, 2025

🔗 References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24487, you might also want to check these: