CVE-2025-24980
📋 TL;DR
This vulnerability in pimcore/admin-ui-classic-bundle allows attackers to enumerate valid user accounts via the 'Forgot password' function due to improper error messages. Attackers can determine which accounts exist on the system, facilitating targeted attacks. All users running affected versions of this Pimcore backend UI component are impacted.
💻 Affected Systems
- pimcore/admin-ui-classic-bundle
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers identify all valid user accounts, enabling targeted credential stuffing, phishing campaigns, or brute-force attacks against known users, potentially leading to account compromise.
Likely Case
Attackers enumerate valid administrative or user accounts, increasing the success rate of subsequent authentication attacks against the identified accounts.
If Mitigated
With proper controls like rate limiting and generic error messages, impact is limited to minimal information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires only web access to the forgot password function; no authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.4
Vendor Advisory: https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-vr5f-php7-rg24
Restart Required: No
Instructions:
1. Update the pimcore/admin-ui-classic-bundle to version 1.7.4 or later via Composer: composer update pimcore/admin-ui-classic-bundle. 2. Clear the application cache if necessary. 3. Verify the update by checking the bundle version.
🔧 Temporary Workarounds
Implement generic error messages
allManually modify the forgot password function to return generic error messages regardless of account existence.
🧯 If You Can't Patch
- Implement rate limiting on the forgot password endpoint to slow down enumeration attempts.
- Monitor logs for unusual patterns of forgot password requests from single IPs.
🔍 How to Verify
Check if Vulnerable:
Test the forgot password function with valid and invalid usernames; if responses differ (e.g., 'user not found' vs. 'email sent'), the system is vulnerable.Check Version:
composer show pimcore/admin-ui-classic-bundle | grep versionVerify Fix Applied:
After patching, test the forgot password function; both valid and invalid usernames should return identical generic messages.📡 Detection & Monitoring
Log Indicators:
- Multiple failed forgot password attempts with different usernames from a single IP address.
- Patterns of requests to the forgot password endpoint with varying usernames in short timeframes.
Network Indicators:
- Unusual spikes in POST requests to the forgot password URL.
SIEM Query:
source="web_logs" AND url_path="/forgot-password" AND status_code=200 | stats count by src_ip, username🔗 References
- https://github.com/pimcore/admin-ui-classic-bundle/commit/96ae555578c3b4df368092d71e07a6c4ddf8fbe9
- https://github.com/pimcore/admin-ui-classic-bundle/pull/808
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-vr5f-php7-rg24
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-vr5f-php7-rg24
