CVE-2025-9824: 
PHP vulnerability analysis and mitigation

A timing-based user enumeration vulnerability (CVE-2025-9824) was discovered in Mautic versions 4.4.0 through 4.4.17, 5.0.0-alpha through 5.2.8, and 6.0.0-alpha through 6.0.5. The vulnerability was disclosed on September 3, 2025, affecting the authentication mechanism of the Mautic platform (Mautic Advisory).

The vulnerability stems from inconsistent response timing during the login process. When a valid username is provided, the system performs password hashing, while no hashing occurs for invalid usernames, creating an observable timing difference. This timing discrepancy is classified as CWE-204 (Observable Response Discrepancy). The vulnerability has been assigned a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (Mautic Advisory).

An attacker can exploit this vulnerability to enumerate valid usernames by measuring the response times of login attempts. Once valid usernames are identified, the attacker could potentially conduct targeted brute force attacks against these accounts (Mautic Advisory).

The vulnerability has been patched in Mautic versions 4.4.17, 5.2.8, and 6.0.5. The fix implements a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification for non-existent users, ensuring consistent timing regardless of username validity. No workarounds are available, and users are advised to upgrade to the patched versions (Mautic Advisory).