Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
CVE-2025-62181

5.3MEDIUM

Key Information:

Vendor: Pegasystems
Status: Pega Infinity
Vendor: CVE Published:; 10 December 2025

🔔 Create Pegasystems Vulnerability Alert

What is CVE-2025-62181?

Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.

Affected Version(s)

Pega Infinity 7.1.0

References

https://support.pega.com/support-doc/pega-security-adviso...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2025
Vulnerability Reserved
Oct 7, 2025

Credit

Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)

Louis Sohier of ENGIE IT Offensive Cybersecurity Team

JSON