Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2018-25350 -- CVSS 9.8 Vulnerability Briefing

CVE-2018-25350 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2018-25350 is a username enumeration vulnerability in userSpice 4.3.24, a PHP-based user management and authentication framework, exposed through the unauthenticated existingUsernameCheck.php endpoint.

Technical Detail

The flaw exists because the existingUsernameCheck.php script accepts POST requests without requiring authentication and returns distinguishable responses depending on whether a submitted username exists in the system. An unauthenticated attacker can automate POST requests to this endpoint to enumerate valid usernames, effectively mapping the user base of a target application. While this vulnerability does not directly enable account takeover, the enumerated usernames can be used to significantly improve the efficiency of credential stuffing, brute-force, or spear-phishing attacks against the affected system.

Exploitation Status

No known exploit code has been publicly documented for this vulnerability, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as none at this time, meaning no confirmed proof-of-concept or operational tooling has been identified. Despite the critical CVSS score of 9.8, the absence of known exploitation reduces immediate urgency, though the low technical barrier to abuse warrants attention.

Who Is Targeting This

Confirmed (ATTAX-verified): Mustard Tempest (origin unknown, motivation unknown), APT38 (origin: DPRK, motivation: nation-state), Storm-0501 (origin unknown, motivation unknown), Windshift (origin unknown, motivation unknown), and Inception (origin: Russia, motivation: nation-state). The association of multiple high-confidence nation-state and financially motivated actors with this CVE is notable given the relatively low technical sophistication of the vulnerability itself. No additional reported or research-inferred actor attribution is present in the available data beyond the confirmed set above.

What To Do

Organizations running userSpice 4.3.24 or earlier should upgrade to the latest available release immediately, as this version is significantly outdated as of May 2026. If an immediate upgrade is not feasible, access to the existingUsernameCheck.php endpoint should be restricted at the web server or firewall level, blocking unauthenticated external access to that script. Detection can be achieved by monitoring web server logs for repeated POST requests to existingUsernameCheck.php from single or rotating source IPs, which is a reliable indicator of automated enumeration activity. Given the confirmed association with multiple sophisticated threat actors, organizations should treat this as a higher-priority remediation item than the lack of known public exploits might otherwise suggest, and should audit exposed userSpice instances for signs of prior reconnaissance.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →