CVE-2018-25350

CRITICAL

userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25350. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This script enumerates valid usernames in UserSpice 4.3.24 by sending POST requests to the 'existingUsernameCheck.php' endpoint and checking for the 'taken' response. It reads usernames from a file and reports which ones exist on the target system.

Description

userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.

Exploits (1)

exploitdb SCANNER
by Dolev Farhi · pythonwebappsphp
https://www.exploit-db.com/exploits/44872

This script enumerates valid usernames in UserSpice 4.3.24 by sending POST requests to the 'existingUsernameCheck.php' endpoint and checking for the 'taken' response. It reads usernames from a file and reports which ones exist on the target system.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: UserSpice 4.3.24
No auth needed
Prerequisites: target IP/URL · list of usernames in a text file
devstral-2 · analyzed May 24, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit exploit
ExploitDB-44872
https://www.exploit-db.com/exploits/44872
Third Party Advisory third-party-advisory
VulnCheck Advisory: userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php
https://www.vulncheck.com/advisories/userspice-username-enumeration-via-existingusernamecheck-php

Scores

CVSS v3 9.8
EPSS 0.0054
EPSS Percentile 40.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-204
Status published
Products (1)
UserSpice/userSpice 4.3.24
Published May 23, 2026
Tracked Since May 24, 2026