Account Enumeration Vulnerability in Mautic by Mautic Inc.
CVE-2025-9824

5.9MEDIUM

Key Information:

Vendor: Mautic
Status: Mautic
Vendor: CVE Published:; 3 September 2025

What is CVE-2025-9824?

An account enumeration vulnerability exists in Mautic, allowing attackers to discern valid usernames based on the response time of login attempts. When a valid username is submitted, the system takes longer due to password hashing, while invalid usernames yield a quicker response, revealing their non-existence. This discrepancy can be exploited to compile lists of valid usernames for subsequent brute force attacks. The vulnerability has been mitigated through the introduction of a TimingSafeFormLoginAuthenticator, which maintains consistent response times by executing a dummy password hash check regardless of username validity. Users are encouraged to upgrade to the most recent patched version to secure their accounts.

Affected Version(s)

Mautic >= 4.4.0 < 4.4.0

Mautic >= 5.0.0-alpha < 5.0.0-alpha

Mautic >= 6.0.0-alpha < 6.0.0-alpha

References

https://github.com/mautic/mautic/security/advisories/GHSA...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 3, 2025
Vulnerability Reserved
Sep 2, 2025

Credit

Vautia

kuzmany

nick-vanpraet