Cyber Resilience

CVE-2025-12455

Medium

Published: 13 March 2026

Published
13 March 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:X/RE:X/U:X
EPSS Score 0.0005 15.5th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12455 is a medium-severity Observable Response Discrepancy (CWE-204) vulnerability in Opentext Vertica. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-6 (Authentication Feedback).

Deeper analysis

CVE-2025-12455 is an observable response discrepancy vulnerability in OpenText™ Vertica that allows password brute forcing. The issue affects the Vertica management console application in versions from 10.0 through 10.X, from 11.0 through 11.X, and from 12.0 through 12.X.

Unauthenticated remote attackers with network access can exploit this vulnerability due to low attack complexity and no requirement for privileges or user interaction. By observing discrepancies in server responses during authentication attempts, attackers can perform efficient brute force attacks against passwords for the management console, potentially obtaining valid credentials and achieving high confidentiality impact, as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The vulnerability is classified under CWE-204.

Mitigation guidance is available in the vendor advisory at https://portal.microfocus.com/s/article/KM000045854?language=en_US.

EU & UK References

Vulnerability details

Observable response discrepancy vulnerability in OpenText™ Vertica allows Password Brute Forcing.   The vulnerability could lead to Password Brute Forcing in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Observable response discrepancy directly enables efficient password guessing/brute force against the management console.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23193Shared CWE-204
CVE-2025-8054Same vendor: Opentext
CVE-2026-3266Same vendor: Opentext
CVE-2026-4113Shared CWE-204
CVE-2018-25350Shared CWE-204
CVE-2026-33419Shared CWE-204

Affected Assets

opentext
vertica
10.0.0-0 — 12.0.4-34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Obscures authentication feedback to prevent observable response discrepancies that enable efficient password brute forcing.

prevent

Limits consecutive unsuccessful logon attempts and enforces account lockouts or delays to thwart brute force attacks on the management console.

prevent

Remediates the specific observable response discrepancy flaw in affected Vertica versions through timely patching per vendor guidance.

References