CVE-2025-41066 – Horde Groupware v5.2.22 contains a user enumera... (How to Fix)

Q: What is the severity of CVE-2025-41066?

CVE-2025-41066 has a CVSS score of 5.3 (MEDIUM). Horde Groupware v5.2.22 contains a user enumeration vulnerability that allows unauthenticated attackers to determine valid user accounts by checking responses to specific HTTP requests. This affects all deployments using the vulnerable version, potentially exposing user account information to reconnaissance activities.

📋 TL;DR

Horde Groupware v5.2.22 contains a user enumeration vulnerability that allows unauthenticated attackers to determine valid user accounts by checking responses to specific HTTP requests. This affects all deployments using the vulnerable version, potentially exposing user account information to reconnaissance activities.

💻 Affected Systems

Products:

Horde Groupware

Versions: v5.2.22

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Horde Groupware v5.2.22 are vulnerable regardless of configuration.

📦 What is this software?

Groupware by Horde

View all CVEs affecting Groupware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers build comprehensive user lists for targeted phishing, credential stuffing, or brute force attacks against identified accounts.

🟠

Likely Case

Reconnaissance to identify valid users for subsequent attacks, increasing risk of account compromise.

🟢

If Mitigated

Limited information disclosure with no direct system compromise if proper authentication and monitoring are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request with specific parameters reveals user existence through response differences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.2.23 or later

Vendor Advisory: https://www.horde.org/apps/groupware

Restart Required: Yes

Instructions:

1. Backup current installation. 2. Download latest version from Horde website. 3. Replace vulnerable files with patched version. 4. Restart web server.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or monitor requests to /imp/attachment.php with id and u parameters

Authentication Requirement

all

Require authentication for /imp/attachment.php endpoint

🧯 If You Can't Patch

Implement rate limiting on /imp/attachment.php endpoint
Monitor logs for enumeration attempts and block suspicious IPs

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to /imp/attachment.php?id=1&u=testuser and observe if file download occurs for existing vs non-existing users

Check Version:

Check Horde version in web interface or configuration files

Verify Fix Applied:

After patching, same request should return consistent response regardless of user existence

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /imp/attachment.php with varying u parameter values
Unusual pattern of file downloads from attachment endpoint

Network Indicators:

HTTP GET requests to /imp/attachment.php with id and u parameters from single source

SIEM Query:

source="web_logs" AND uri="/imp/attachment.php" AND (parameter="u" OR parameter="id") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-41066

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.06% exploit probability (17.7th percentile)

Published: December 2, 2025

Last Updated: December 3, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/disclosure-sensitive-information-horde-groupware Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-41066, you might also want to check these: