ACE Center CVE-2025-8884
MEDIUMSeverity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in VHS Electronic Software Ltd. Co. ACE Center allows Privilege Abuse, Exploitation of Trusted Identifiers.
This issue affects ACE Center: from 3.10.100.1768 before 3.10.161.2255.
AnalysisAI
Authorization bypass via user-controlled key in ACE Center (VHS Electronic Software Ltd. Co.) allows a locally-authenticated low-privileged user to exploit trusted identifiers and access sensitive resources beyond their authorization level. Affected versions span 3.10.100.1768 through 3.10.161.2255, with high confidentiality impact (C:H) but no integrity or availability effect per the CVSS vector. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating no observed widespread exploitation at time of analysis.
Technical ContextAI
CWE-639 (Authorization Bypass Through User-Controlled Key) describes a class of flaws where an application uses a user-supplied value - such as a record ID, token, session identifier, or object reference - to look up or authorize access to a resource without performing a sufficient server-side ownership or privilege check. This is structurally equivalent to an Insecure Direct Object Reference (IDOR). In ACE Center, the application trusts a key supplied by the client to gate access to objects, enabling a low-privileged account holder to substitute or manipulate that key to retrieve data belonging to other users or higher-privilege roles. The CVSS local attack vector (AV:L) indicates the vulnerable interface is accessible locally - likely a thick-client application, locally-hosted web portal, or internal API endpoint - rather than exposed to the public internet by default. The vendor VHS Electronic Software Ltd. Co. appears to be a Turkish software provider, consistent with the vulnerability being reported and disclosed by Turkey's national CERT (USOM/SOME).
Affected ProductsAI
ACE Center by VHS Electronic Software Ltd. Co. is affected across versions from 3.10.100.1768 up to but not including 3.10.161.2255. No CPE strings were provided in the available intelligence. The Turkish national CERT (USOM) advisory TR-25-0348 is the primary disclosure source, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0348 and https://www.usom.gov.tr/bildirim/tr-25-0348.
RemediationAI
Upgrade ACE Center to version 3.10.161.2255 or later, which is identified in the CVE record as the boundary fix version; however, this version has not been independently confirmed as a formally released patch beyond the NVD/USOM disclosure - organizations should verify availability directly with VHS Electronic Software Ltd. Co. and consult the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0348. As an interim compensating control, restrict ACE Center access strictly to trusted, individually-vetted user accounts and eliminate shared or generic low-privileged credentials, since the attack requires an authenticated session; the trade-off is increased administrative overhead. Additionally, enabling audit logging on all object-access events can help detect anomalous key manipulation patterns before full exploitation is confirmed.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today