{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3716", "assignerOrgId": "4a9b9929-2450-4021-b7b9-469a0255b215", "state": "PUBLISHED", "assignerShortName": "ESET", "dateReserved": "2025-04-16T08:51:43.823Z", "datePublished": "2026-03-30T07:30:30.707Z", "dateUpdated": "2026-03-30T15:19:53.699Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "4a9b9929-2450-4021-b7b9-469a0255b215", "shortName": "ESET", "dateUpdated": "2026-03-30T07:30:30.707Z"}, "title": "User enumeration in ESET Protect (on-prem)", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-204", "description": "CWE-204 Observable response discrepancy", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-172", "descriptions": [{"lang": "en", "value": "CAPEC-172 Manipulate Timing and State"}]}], "affected": [{"vendor": "ESET, spol. s.r.o", "product": "ESET Protect (on-prem)", "versions": [{"status": "unaffected", "version": "12.1.1.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "User enumeration in ESET Protect (on-prem) via\u00a0Response Timing.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "User enumeration in ESET Protect (on-prem) via Response Timing."}]}], "references": [{"url": "https://help.eset.com/changelogs/?product=protect&lang=en-US", "tags": ["release-notes"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:18:46.243056Z", "id": "CVE-2025-3716", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:19:53.699Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3716", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:18:46.243056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:19:40.537Z"}}], "cna": {"title": "User enumeration in ESET Protect (on-prem)", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-172", "descriptions": [{"lang": "en", "value": "CAPEC-172 Manipulate Timing and State"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ESET, spol. s.r.o", "product": "ESET Protect (on-prem)", "versions": [{"status": "unaffected", "version": "12.1.1.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://help.eset.com/changelogs/?product=protect&lang=en-US", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "User enumeration in ESET Protect (on-prem) via\u00a0Response Timing.", "supportingMedia": [{"type": "text/html", "value": "User enumeration in ESET Protect (on-prem) via Response Timing.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204 Observable response discrepancy"}]}], "providerMetadata": {"orgId": "4a9b9929-2450-4021-b7b9-469a0255b215", "shortName": "ESET", "dateUpdated": "2026-03-30T07:30:30.707Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3716", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:19:53.699Z", "dateReserved": "2025-04-16T08:51:43.823Z", "assignerOrgId": "4a9b9929-2450-4021-b7b9-469a0255b215", "datePublished": "2026-03-30T07:30:30.707Z", "assignerShortName": "ESET"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "User enumeration in ESET Protect (on-prem) via\u00a0Response Timing."}], "id": "CVE-2025-3716", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@eset.com", "type": "Secondary"}]}, "published": "2026-03-30T08:16:16.380", "references": [{"source": "security@eset.com", "url": "https://help.eset.com/changelogs/?product=protect&lang=en-US"}], "sourceIdentifier": "security@eset.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security@eset.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "12.1.1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "ESET Protect (on-prem)", "source": "cna", "vendor": "ESET, spol. s.r.o"}, "product": "eset_protect", "vendor": "eset"}], "analysis": {"en": {"generated_at": "2026-03-30T09:21:54.804333+00:00", "value": {"mitigation_remediation": ["Check the ESET website or support portal for an update that addresses the enumeration issue and apply it as soon as possible.", "If a patch is not yet available, restrict external network access to the ESET Protect management console by allowing only trusted IP ranges or using firewall rules.", "Continuously monitor ESET advisories and security bulletins for any forthcoming patches or temporary workarounds."], "summary": {"action": "Patch", "impact": "User Enumeration"}, "threat_synthesis": {"affected_systems": "The flaw affects ESET Protect (on\u2011prem) deployments. No specific product versions are listed, implying the issue may be present across multiple or all on\u2011prem releases available at the time of disclosure.", "description_and_impact": "The vulnerability in ESET Protect (on\u2011prem) allows an attacker to enumerate valid usernames by measuring the response time to authentication attempts. This information disclosure can enable targeted password guessing or credential stuffing attacks, compromising the confidentiality of user accounts. The weakness is classified under CWE\u2011204.", "risk_and_exploitability": "The CVSS score is 5.3, indicating a moderate severity. Exploit probability data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack requires network access to the ESET Protect management interface, and the response\u2011timing technique suggests that an attacker can exploit the vulnerability remotely without additional privileges."}}}}, "created": "2026-03-30T20:56:04.560801+00:00", "updated": "2026-03-31T20:41:11.978380+00:00", "vendors": ["eset", "eset$PRODUCT$eset_protect"]}