CVE-2025-9139: Sensitive User Information Disclosure via WatchListDwr.init.dwr Endpoint
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-9139
Summary
A vulnerability was identified in the WatchListDwr.init.dwr endpoint of SCADA-LTS that allows any authenticated user, even with minimal permissions, to access sensitive user information including usernames, emails, phone numbers, and admin status. This flaw constitutes an Information Disclosure issue and could be used to facilitate further attacks such as phishing, privilege escalation, or social engineering.
Details
- Vulnerable Endpoint:
POST /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr - Authentication Required: Yes (low-privileged user)
- Affected Parameter: N/A (static DWR call)
- Impact Type: Information Disclosure
By issuing a crafted POST request to the vulnerable endpoint, a low-privileged user is able to retrieve detailed information of all users in the system. The backend responds with a full JavaScript object containing data such as usernames, emails, admin flags, and phone numbers.
Sample Request:
| |
Sample Response Snippet::
| |
PoC
Authenticate as any valid low-privileged user.
Send the above POST request to /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr
Observe the server response containing sensitive information of all users in the SCADA system
Impact
- Privacy Violation: Emails, phone numbers, and usernames of all users, including administrators, are exposed.
- Privilege Escalation Support: Knowledge of admin usernames and roles could be leveraged in further attacks.
- Phishing and Social Engineering: Exposed contact information can be used to craft highly targeted attacks.
- Reconnaissance: Attackers can map the user structure of the SCADA-LTS system for further exploitation.
Reference
https://github.com/CVE-Hunters/CVE/blob/main/Scada-LTS/CVE-2025-9139.md
Finder
By: CVE-Hunters