What is the CVSS score of CVE-2025-66483?

CVE-2025-66483 has a CVSS 3.1 base score of 6.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2025-66483?

Yes, a patch is available for CVE-2025-66483. Update the affected software to the latest version immediately.

IBM CVE-2025-66483

EUVD-2025-209178 MEDIUM

Insufficient Session Expiration (CWE-613)

2026-04-01 ibm

GHSA-4rp7-5w2x-wwvh

Information Disclosure IBM

6.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Apr 01, 2026 - 23:16 euvd

EUVD-2025-209178

Analysis Generated

Apr 01, 2026 - 23:16 vuln.today

Patch released

Apr 01, 2026 - 23:16 nvd

Patch available

CVE Published

Apr 01, 2026 - 22:56 nvd

MEDIUM 6.3

DescriptionNVD

IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.

AnalysisAI

IBM Aspera Shares versions 1.9.9 through 1.11.0 fail to invalidate user sessions following password reset operations, enabling authenticated users to maintain access to compromised accounts and impersonate other users. The vulnerability requires prior authentication and allows limited confidentiality and integrity impact through account takeover. IBM has released a patch to address this session management defect.

Technical ContextAI

The vulnerability stems from improper session handling in IBM Aspera Shares, a file transfer and collaboration platform. After a user resets their password, the application fails to terminate active sessions associated with that account (CWE-613: Insufficient Session Expiration). This is a classic session fixation/persistence flaw where session tokens remain valid despite credential changes. An authenticated attacker who gains knowledge of another user's credentials or who obtains a valid session token before password reset can continue using that session to perform actions as the legitimate user. The affected CPE is cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:* for versions 1.9.9 through 1.11.0.

RemediationAI

IBM has released a patch available through their support portal. Organizations should upgrade IBM Aspera Shares to the patched version specified in the vendor advisory at https://www.ibm.com/support/pages/node/7267848. As an immediate mitigation pending patch deployment, administrators should enforce logout of all active sessions when initiating password resets for user accounts, consider implementing additional session monitoring and re-authentication requirements for sensitive operations, and audit session logs for suspicious cross-user activity patterns that may indicate session hijacking attempts.

More from same product – last 7 days

CVE-2026-7524 CRITICAL Act Now

9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr

CVE-2026-8175 CRITICAL Act Now

9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra

CVE-2026-5065 HIGH This Week

8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded

CVE-2026-8179 HIGH This Week

8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

CVE-2026-7365 HIGH This Week

8.4 May 27

Authentication bypass in IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis (Operations

CVE-2025-66483 vulnerability details – vuln.today

Back