Cyber Posture

CVE-2019-25337

CriticalPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0017 37.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard search parameter to retrieve comprehensive user information.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits permitted actions without identification or authentication, preventing unauthenticated access to the share.php endpoint for username enumeration.

SC-14 Public Access Protections good match
prevent

Implements protections on publicly accessible endpoints like share.php to block unauthorized disclosure of user information via crafted requests.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations on the share.php endpoint, blocking unauthenticated requests that enumerate and disclose user accounts.

Security SummaryAI

CVE-2019-25337 is a username enumeration vulnerability in OwnCloud version 8.1.8. It affects the share.php endpoint, where remote attackers can discover valid user accounts by sending crafted GET requests to /index.php/core/ajax/share.php using a wildcard search parameter, which returns comprehensive user information. The vulnerability is classified under CWE-203 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Any unauthenticated remote attacker can exploit this vulnerability without privileges, user interaction, or special conditions. By manipulating the search parameter in the specified endpoint, attackers can enumerate valid usernames and retrieve detailed user data, potentially enabling further attacks such as targeted phishing, credential stuffing, or brute-force attempts against discovered accounts.

Advisories and related resources, including an exploit proof-of-concept on Exploit-DB (https://www.exploit-db.com/exploits/47745) and a VulnCheck advisory (https://www.vulncheck.com/advisories/owncloud-username-disclosure), provide further details. Official OwnCloud resources (https://owncloud.org/) and package archives (https://ftp.icm.edu.pl/packages/owncloud/) are referenced for potential patches or updates, though specific mitigation steps are outlined in those documents. The CVE was published on 2026-02-12.

Details

CWE(s)
CWE-203

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1087 Account Discovery Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing web application (T1190) to enumerate valid usernames and user information (T1087 Account Discovery).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References