PT-2025-43532 · Tibbo · Tibbo Aggregate Network Manager
Alex Williams
·
Published
2025-10-23
·
Updated
2025-10-23
·
CVE-2025-34155
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Tibbo AggreGate Network Manager versions prior to 6.40.05
Description
The login functionality exhibits a discrepancy in authentication failure messages. These messages vary depending on whether a provided username exists, potentially enabling an unauthenticated remote attacker to identify valid account identifiers. This can aid in user enumeration, potentially increasing the success rate of brute-force or credential-stuffing attacks. The
/login API endpoint is affected. The username parameter is vulnerable to enumeration.Recommendations
Update Tibbo AggreGate Network Manager to version 6.40.05 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tibbo Aggregate Network Manager