CVE-2025-6056 - Vulnerability Details - OpenCVE

Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://www.redguard.ch/blog/2025/07/04/cve-2025-6056-airlock-iam-username-enumeration/

History

Mon, 07 Jul 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 04 Jul 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames.
Weaknesses		CWE-203
References		https://www.redguard.ch/blog/2025/07/04/cve-2025-6056-airlock-iam-username-enumeration/
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2025-07-04T11:21:42.979Z

Updated: 2025-07-07T16:23:53.982Z

Reserved: 2025-06-13T12:44:22.762Z

Link: CVE-2025-6056

Vulnrichment

Updated: 2025-07-07T16:23:51.379Z

NVD

Status : Awaiting Analysis

Published: 2025-07-04T12:15:35.407

Modified: 2025-07-08T16:18:53.607

Link: CVE-2025-6056

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-6056", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2025-06-13T12:44:22.762Z", "datePublished": "2025-07-04T11:21:42.979Z", "dateUpdated": "2025-07-07T16:23:53.982Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.airlock.com/en/secure-access-hub/components/iam", "defaultStatus": "unaffected", "modules": ["Password Reset Flow"], "product": "Airlock IAM", "vendor": "Ergon Informatik AG", "versions": [{"lessThanOrEqual": "7.7.10", "status": "affected", "version": "7.7.9", "versionType": "custom"}, {"status": "affected", "version": "8.0.8", "versionType": "custom"}, {"status": "affected", "version": "8.1.7", "versionType": "custom"}, {"status": "affected", "version": "8.2.4", "versionType": "custom"}, {"status": "affected", "version": "8.3.1", "versionType": "custom"}, {"status": "unaffected", "version": "8.4.1", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A password reset flow needs to be configured."}], "value": "A password reset flow needs to be configured."}], "credits": [{"lang": "en", "type": "finder", "value": "Patrick Schl\u00fcter - Redguard AG"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames.<p></p>"}], "value": "Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames."}], "impacts": [{"capecId": "CAPEC-2", "descriptions": [{"lang": "en", "value": "CAPEC-2 Inducing Account Lockout"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2025-07-04T11:21:42.979Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.redguard.ch/blog/2025/07/04/cve-2025-6056-airlock-iam-username-enumeration/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to a fixed version such as 7.7.11, 8.0.9, 8.1.8, 8.2.5, 8.3.2."}], "value": "Update to a fixed version such as\u00a07.7.11,\u00a08.0.9,\u00a08.1.8,\u00a08.2.5,\u00a08.3.2."}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-07T16:23:46.644226Z", "id": "CVE-2025-6056", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T16:23:53.982Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6056", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-07T16:23:46.644226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T16:23:51.379Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Patrick Schl\u00fcter - Redguard AG"}], "impacts": [{"capecId": "CAPEC-2", "descriptions": [{"lang": "en", "value": "CAPEC-2 Inducing Account Lockout"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ergon Informatik AG", "modules": ["Password Reset Flow"], "product": "Airlock IAM", "versions": [{"status": "affected", "version": "7.7.9", "versionType": "custom", "lessThanOrEqual": "7.7.10"}, {"status": "affected", "version": "8.0.8", "versionType": "custom"}, {"status": "affected", "version": "8.1.7", "versionType": "custom"}, {"status": "affected", "version": "8.2.4", "versionType": "custom"}, {"status": "affected", "version": "8.3.1", "versionType": "custom"}, {"status": "unaffected", "version": "8.4.1", "versionType": "custom"}], "collectionURL": "https://www.airlock.com/en/secure-access-hub/components/iam", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to a fixed version such as\u00a07.7.11,\u00a08.0.9,\u00a08.1.8,\u00a08.2.5,\u00a08.3.2.", "supportingMedia": [{"type": "text/html", "value": "Update to a fixed version such as 7.7.11, 8.0.9, 8.1.8, 8.2.5, 8.3.2.", "base64": false}]}], "references": [{"url": "https://www.redguard.ch/blog/2025/07/04/cve-2025-6056-airlock-iam-username-enumeration/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames.", "supportingMedia": [{"type": "text/html", "value": "Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames.<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "configurations": [{"lang": "en", "value": "A password reset flow needs to be configured.", "supportingMedia": [{"type": "text/html", "value": "A password reset flow needs to be configured.", "base64": false}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2025-07-04T11:21:42.979Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6056", "state": "PUBLISHED", "dateUpdated": "2025-07-07T16:23:53.982Z", "dateReserved": "2025-06-13T12:44:22.762Z", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "datePublished": "2025-07-04T11:21:42.979Z", "assignerShortName": "NCSC.ch"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames."}, {"lang": "es", "value": "La diferencia de tiempo en el restablecimiento de contrase\u00f1a en Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 y 8.3.1 de Ergon Informatik AG permite a atacantes no autenticados enumerar nombres de usuario."}], "id": "CVE-2025-6056", "lastModified": "2025-07-08T16:18:53.607", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-07-04T12:15:35.407", "references": [{"source": "[email protected]", "url": "https://www.redguard.ch/blog/2025/07/04/cve-2025-6056-airlock-iam-username-enumeration/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "[email protected]", "type": "Secondary"}]}