CVE-2025-54477
📋 TL;DR
This vulnerability allows attackers to enumerate valid usernames in Joomla's passkey authentication system by observing differences in authentication response times or error messages. It affects Joomla CMS installations using passkey authentication. Attackers can identify which usernames exist in the system, facilitating targeted attacks.
💻 Affected Systems
- Joomla CMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers build a complete list of valid usernames, enabling targeted brute-force attacks, credential stuffing, or social engineering campaigns against identified users.
Likely Case
Attackers enumerate some valid usernames and use them for targeted phishing or credential attacks against those specific accounts.
If Mitigated
With rate limiting and proper logging, only limited username enumeration occurs, detected quickly by security monitoring.
🎯 Exploit Status
Exploitation requires sending authentication requests and analyzing response differences. No authentication needed to attempt enumeration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Joomla 5.1.5
Vendor Advisory: https://developer.joomla.org/security-centre/1011-20250902-core-user-enumeration-in-passkey-authentication-method.html
Restart Required: No
Instructions:
1. Backup your Joomla installation and database. 2. Update to Joomla 5.1.5 via the Joomla Update component in the administrator panel. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Passkey Authentication
allTemporarily disable passkey authentication until patched
Implement Rate Limiting
allConfigure web server or application rate limiting on authentication endpoints
🧯 If You Can't Patch
- Implement strict rate limiting on authentication endpoints
- Enable detailed logging of authentication attempts and monitor for enumeration patterns
🔍 How to Verify
Check if Vulnerable:
Check Joomla version in administrator panel or via 'php version.php' in Joomla root directoryCheck Version:
php version.phpVerify Fix Applied:
Confirm Joomla version is 5.1.5 or later and test authentication responses show consistent timing/errors📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts for different usernames from same IP
- Unusual pattern of authentication requests
Network Indicators:
- High volume of authentication requests to passkey endpoints
- Requests with sequential or dictionary usernames
SIEM Query:
source="joomla_logs" AND (event_type="authentication_failure" OR event_type="passkey_attempt") | stats count by src_ip, username | where count > 10