CVE-2020-25200

MEDIUM NUCLEI

Pritunl 1.29.2145.25 - Username Enumeration via Login Attempt Error Code Discrepancy

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-25200. PoCs published by lukaszstu, c2at3. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a detailed writeup describing CVE-2020-25200, a username enumeration vulnerability in Pritunl VPN server v1.29.2145.25. The vulnerability allows attackers to determine valid usernames by observing the change in HTTP response codes after 20 failed login attempts.

Description

Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design

Exploits (2)

nomisec WRITEUP 4 stars

by lukaszstu · poc

https://github.com/lukaszstu/pritunl-CVE-2020-25200

View Code ZIP pw:eip

This repository contains a detailed writeup describing CVE-2020-25200, a username enumeration vulnerability in Pritunl VPN server v1.29.2145.25. The vulnerability allows attackers to determine valid usernames by observing the change in HTTP response codes after 20 failed login attempts.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Pritunl VPN server v1.29.2145.25

No auth needed

Prerequisites: Network access to the Pritunl VPN server · Ability to send HTTP requests to the /auth/session endpoint

MITRE ATT&CK

T1589 - Gather Victim Identity Information T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

gitlab SCANNER

by c2at3 · poc

https://gitlab.com/c2at3/cve-2020-25200

View Code ZIP pw:eip

This repository contains a Python-based scanner for CVE-2020-25200, which checks for username existence and default accounts in Pritunl VPN servers by analyzing HTTP response codes from the `/auth/session` endpoint. It does not exploit the vulnerability but detects it through response analysis.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Pritunl VPN

No auth needed

Prerequisites: target URL · list of usernames

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Pritunl VPN Server 1.29.2145.25 - Username Enumeration

MEDIUMVERIFIEDby pussycat0x

Shodan: http.title:"pritunl"

FOFA: title="pritunl"

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://pritunl.com

Vendor Advisory x_refsource_misc

https://pritunl.com/security

Exploit, Third Party Advisory x_refsource_misc

https://github.com/lukaszstu/pritunl/blob/master/CVE-2020-25200

View Exploit ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.7297

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-203

Status published

Products (1)

pritunl/pritunl 1.29.2145.25

Published Oct 01, 2020

Tracked Since Feb 18, 2026