First published: Thu Jan 23 2025(Updated: )
Variable response times in the AWS Sign-in IAM user login flow allowed for the use of brute force enumeration techniques to identify valid IAM usernames in an arbitrary AWS account.
Credit: ff89ba41-3aa1-4d27-914a-91399e9639e5
Affected Software | Affected Version | How to fix |
---|---|---|
Amazon Web Services |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-0693 is considered a medium severity vulnerability due to its potential for brute force enumeration of valid IAM usernames.
To mitigate CVE-2025-0693, implement rate limiting and monitor login attempts to prevent username enumeration through response time analysis.
The exploitation of CVE-2025-0693 can lead to unauthorized access attempts by revealing valid IAM usernames.
Organizations using Amazon AWS with IAM user login flows are affected by CVE-2025-0693.
CVE-2025-0693 specifically targets variable response times during the AWS Sign-in IAM user login flow.