cbcvebase.
CVE-2020-25200
published 2020-10-01

CVE-2020-25200: Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error…

PriorityP342medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
7.47%
93.7th percentile
Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design

Affected

1 ranges
VendorProductVersion rangeFixed in
pritunlpritunl

Detection & IOCsextracted from sources · hover to see the quote

url/auth/session
commandPOST /auth/session HTTP/1.1
otherToo many authentication attempts
otherauth_too_many
  • A valid username is identified when the server transitions from HTTP 401 to HTTP 400 after approximately 20 consecutive failed login attempts to /auth/session. Invalid usernames always return 401.
  • Detect enumeration attempts by monitoring for repeated POST requests to /auth/session with Content-Type: application/json, especially bursts of 20+ requests from the same source IP.
  • Alert on HTTP 400 responses from /auth/session containing the strings 'Too many authentication attempts' or 'auth_too_many' in the JSON body, as these indicate a valid username has been identified by an attacker.
  • Use Shodan/FOFA/Google dorks to identify exposed Pritunl login panels that may be targeted: Shodan: http.title:"pritunl", FOFA: title="pritunl", Google: intitle:"pritunl".
  • ·The vendor disputes this as a vulnerability, stating the differing error responses are intentional design behavior, not a security flaw.
  • ·Exploitation requires network access to the Pritunl login endpoint; the attack is not exploitable without reachability to /auth/session.
  • ·The enumeration threshold is approximately 20 attempts per username before the server response changes from 401 to 400; detection rules should account for this specific count window.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.