CVE-2025-0693

Published Jan 23, 2025

Last updated 8 months ago

CVSS medium 6.9

Overview

Description
Variable response times in the AWS Sign-in IAM user login flow allowed for the use of brute force enumeration techniques to identify valid IAM usernames in an arbitrary AWS account.
Source
ff89ba41-3aa1-4d27-914a-91399e9639e5
NVD status
Received

Risk scores

CVSS 4.0

Type
Secondary
Base score
6.9
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

ff89ba41-3aa1-4d27-914a-91399e9639e5
CWE-204

Social media

Hype score
Not currently trending

  1. AWS IAM User Enumeration By Devesh Patel A critical vulnerability in AWS IAM (CVE-2025-0693) allows attackers to enumerate valid IAM users, paving the way for targeted brute-force attacks and credential stuffing. 🔍 What you’ll learn: 🛑 How the vulnerability enables use

    @AwsSecDigest

    5 Aug 2025

    269 Impressions

    0 Retweets

    5 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  2. 🖥️ Falhas no Console AWS • Enumeração via MFA (exposição de usuários) • Timing Attack (CVE-2025-0693, diferença de 100ms) ⚠️ Hackers usam para: • Identificar contas • Bypass MFA • Atacar sem gerar log AWS ignorou 1 falha. #CloudHacking #AWS #CVE2025069

    @polypuslabs

    6 May 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [1day1line] CVE-2025-0693: User Enumeration Vulnerability due to Timing Attack in AWS IAM https://t.co/kEBRp6hj4s Today's 1day1line is a Timing Attack vulnerability that can exploit server response time differences during the AWS IAM login process to determine the presence of a

    @hackyboiz

    5 Mar 2025

    605 Impressions

    4 Retweets

    11 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-0693: AWS IAM User Enumeration https://t.co/evQsRPcMT8

    @_r_netsec

    23 Feb 2025

    773 Impressions

    1 Retweet

    5 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-0693: AWS IAM User Enumeration https://t.co/evQsRPcMT8

    @_r_netsec

    22 Feb 2025

    877 Impressions

    3 Retweets

    11 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-0693: AWS IAM User Enumeration https://t.co/R9K3xCppbm

    @Dinosn

    11 Feb 2025

    1732 Impressions

    5 Retweets

    14 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-0693: AWS IAM User Enumeration https://t.co/evQsRPcMT8

    @_r_netsec

    11 Feb 2025

    659 Impressions

    0 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  8. New Rhino Blog Post: CVE-2025-0693: AWS IAM User Enumeration https://t.co/tuMn35kIxG

    @RhinoSecurity

    11 Feb 2025

    652 Impressions

    10 Retweets

    21 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.