CVE-2021-44848

MEDIUM NUCLEI

Thinfinity VirtualUI < 3.0 - User Enumeration via Password Change Response Discrepancy

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-44848. PoCs published by Daniel Morales. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a writeup describing a user enumeration vulnerability in Cibele Thinfinity VirtualUI. The exploit leverages a predictable endpoint to brute-force usernames via HTTP responses, allowing attackers to determine valid usernames.

Description

In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists.

Exploits (1)

exploitdb WRITEUP
by Daniel Morales · textwebappsmultiple
https://www.exploit-db.com/exploits/50601

This is a writeup describing a user enumeration vulnerability in Cibele Thinfinity VirtualUI. The exploit leverages a predictable endpoint to brute-force usernames via HTTP responses, allowing attackers to determine valid usernames.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cibele Thinfinity VirtualUI < v3.0
No auth needed
Prerequisites: network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Thinfinity VirtualUI User Enumeration
MEDIUMby danielmofer
Shodan: http.title:"thinfinity virtualui"
FOFA: title="thinfinity virtualui"

References (2)

Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/cybelesoft/virtualui/issues/1

Scores

CVSS v3 5.3
EPSS 0.2314
EPSS Percentile 97.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-203
Status published
Products (1)
cybelesoft/thinfinity_virtualui < 3.0
Published Dec 13, 2021
Tracked Since Feb 18, 2026