Skip to main content

IBM CVE-2025-66487

| EUVD-2025-209186 LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-01 ibm
Denial Of Service IBM
2.7
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2025-209186
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
Patch released
Apr 01, 2026 - 23:16 nvd
Patch available
CVE Published
Apr 01, 2026 - 23:04 nvd
LOW 2.7

DescriptionNVD

IBM Aspera Shares 1.9.9 through 1.11.0 does not properly rate limit the frequency that an authenticated user can send emails, which could result in email flooding or a denial of service.

AnalysisAI

IBM Aspera Shares 1.9.9 through 1.11.0 lacks proper rate limiting on authenticated user email submissions, allowing high-privilege users to trigger email flooding or denial of service conditions. The vulnerability requires authentication at the admin or high-privilege level and results in service availability degradation rather than data compromise. EPSS exploitation probability is low (2.7 CVSS, high privilege requirement), and no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability exists in IBM Aspera Shares email functionality and stems from insufficient rate-limiting controls (CWE-770: Allocation of Resources Without Limits or Throttling). Aspera Shares is IBM's enterprise file-sharing platform. The root cause is the absence of per-user, per-action frequency thresholds on outbound email operations, allowing an authenticated high-privilege user (PR:H in CVSS) to submit unbounded email requests. This can exhaust email queue resources, trigger mail server throttling, or generate enough volume to impact the platform's ability to process legitimate email notifications and communications.

RemediationAI

Vendor-released patch is available from IBM. Organizations should upgrade IBM Aspera Shares to a patched version beyond 1.11.0 as specified in the IBM security advisory (https://www.ibm.com/support/pages/node/7267848). As an interim compensating control pending patching, restrict email-sending privileges within Aspera Shares to only necessary administrative users, implement network-level rate limiting on outbound SMTP traffic originating from the Aspera Shares server, and monitor email queue depth and outbound mail volume for anomalous spikes that could indicate exploitation attempts. Prioritize patching for Aspera Shares instances accessible to untrusted internal users or in multi-tenant environments.

More from same product – last 7 days

CVE-2026-7524 CRITICAL
9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
CVE-2026-8175 CRITICAL
9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
CVE-2026-7876 CRITICAL
9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu
CVE-2026-5065 HIGH
8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
CVE-2026-8179 HIGH
8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

Share

CVE-2025-66487 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy