CP
cyberpings
VulnerabilitiesMEDIUM

PEGA Infinity Platform - Multiple Vulnerabilities Discovered

FDFull Disclosure
Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Ingested:
🎯

Basically, there are security holes in PEGA Infinity that could let bad guys access user data.

Quick Summary

SEC Consult has revealed multiple vulnerabilities in the PEGA Infinity platform. Users of affected versions should act quickly to install patches. Failure to do so could lead to unauthorized access and data breaches. Stay secure by updating your systems now.

The Flaw

Recently, SEC Consult Vulnerability Lab disclosed multiple vulnerabilities in the PEGA Infinity platform. These vulnerabilities are identified as CVE-2025-62181 and CVE-2025-9559. The first flaw relates to weak brute-force protection on the login page, while the second involves an Insecure Direct Object Reference (IDOR) issue. Both vulnerabilities can lead to unauthorized access and data exposure.

CVE-2025-62181 affects versions from 7.1.0 through Infinity 25.1.0, while CVE-2025-9559 impacts versions 8.7.5 to Infinity 24.2.2. The weak brute-force protection allows attackers to perform username enumeration and password spraying attacks, potentially compromising user accounts. Meanwhile, the IDOR vulnerability enables unauthorized access to files that should be restricted.

What's at Risk

The vulnerabilities could allow attackers to gain unauthorized access to sensitive data. For instance, the weak brute-force protection can be exploited to determine valid usernames and attempt to log in using common passwords. This could lead to unauthorized access to user accounts, putting personal and organizational data at risk.

Additionally, the IDOR vulnerability allows attackers to access files uploaded by other users without proper authorization checks. This could expose sensitive images or documents, further escalating the risk for users and organizations relying on the PEGA Infinity platform for secure operations.

Patch Status

The vendor has released patches to address these vulnerabilities. For CVE-2025-62181, the fixed versions are 24.1.4, 24.2.4, and 25.1.1. For CVE-2025-9559, version 24.2.3 is recommended. Users are strongly advised to install these patches immediately to mitigate the risks associated with these vulnerabilities.

It is crucial for organizations using affected versions to conduct thorough security reviews. This will help identify and resolve any additional security issues that may not have been addressed by the patches.

Immediate Actions

To protect your systems, take the following steps:

  • Update the PEGA Infinity platform to the latest patched versions as soon as possible.
  • Conduct a security review of your systems to identify any potential vulnerabilities.
  • Implement additional security measures, such as stronger password policies and multi-factor authentication, to enhance protection against brute-force attacks.

By taking these actions, organizations can significantly reduce their risk of exploitation and protect sensitive data from unauthorized access.

🔒 Pro insight: Immediate patching is critical as these vulnerabilities could be exploited rapidly by attackers leveraging brute-force tactics.

Original article from

FDFull Disclosure
Read Full Article

Share

Related Pings

CRITICALVulnerabilities

Fortinet FortiClient EMS - Critical 0-Day Vulnerability Exploited

A critical zero-day vulnerability in FortiClient EMS is actively exploited. Fortinet has released emergency patches and urges immediate action from users.

Cyber Security News·
HIGHVulnerabilities

Video Conferencing Bug - CISA Orders Agencies to Patch

A serious vulnerability in TrueConf video conferencing software is being exploited by Chinese hackers. CISA has mandated a two-week patch deadline for federal agencies. Immediate action is essential to safeguard sensitive data and communications.

The Record·
HIGHVulnerabilities

Post-Deployment Vulnerability Detection - Rethinking Strategies

A new approach to vulnerability detection is needed post-deployment. Many organizations overlook risks from newly disclosed CVEs, leaving systems exposed. Rethinking strategies can enhance security.

OpenSSF Blog·
HIGHVulnerabilities

Mobile Vulnerabilities - Enterprises Struggle with Control

Mobile devices are increasingly vulnerable due to outdated software and hidden threats like Shadow AI. This puts sensitive enterprise data at risk. Organizations must act to secure their mobile environments.

SecurityWeek·
HIGHVulnerabilities

CVE-2026-33691 - OWASP CRS Whitespace Padding Bypass Alert

A new vulnerability in OWASP CRS allows attackers to upload dangerous files by exploiting whitespace in filenames. This affects many web applications, risking severe security breaches. Immediate updates are necessary to protect your systems.

Full Disclosure·
HIGHVulnerabilities

MetInfo CMS Vulnerability - PHP Code Injection Risk

A critical vulnerability in MetInfo CMS could let attackers execute arbitrary PHP code. Versions 7.9, 8.0, and 8.1 are at risk. Stay alert for updates and potential fixes.

Full Disclosure·