CVE-2019-25337
Published: 12 February 2026
Summary
CVE-2019-25337 is a critical-severity Observable Discrepancy (CWE-203) vulnerability in Edu (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Limits permitted actions without identification or authentication, preventing unauthenticated access to the share.php endpoint for username enumeration.
Implements protections on publicly accessible endpoints like share.php to block unauthorized disclosure of user information via crafted requests.
Enforces approved authorizations on the share.php endpoint, blocking unauthenticated requests that enumerate and disclose user accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing web application (T1190) to enumerate valid usernames and user information (T1087 Account Discovery).
NVD Description
OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard search parameter to retrieve comprehensive user information.
Deeper analysisAI
CVE-2019-25337 is a username enumeration vulnerability in OwnCloud version 8.1.8. It affects the share.php endpoint, where remote attackers can discover valid user accounts by sending crafted GET requests to /index.php/core/ajax/share.php using a wildcard search parameter, which returns comprehensive user information. The vulnerability is classified under CWE-203 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
Any unauthenticated remote attacker can exploit this vulnerability without privileges, user interaction, or special conditions. By manipulating the search parameter in the specified endpoint, attackers can enumerate valid usernames and retrieve detailed user data, potentially enabling further attacks such as targeted phishing, credential stuffing, or brute-force attempts against discovered accounts.
Advisories and related resources, including an exploit proof-of-concept on Exploit-DB (https://www.exploit-db.com/exploits/47745) and a VulnCheck advisory (https://www.vulncheck.com/advisories/owncloud-username-disclosure), provide further details. Official OwnCloud resources (https://owncloud.org/) and package archives (https://ftp.icm.edu.pl/packages/owncloud/) are referenced for potential patches or updates, though specific mitigation steps are outlined in those documents. The CVE was published on 2026-02-12.
Details
- CWE(s)