Skip to main content

ACE Center CVE-2025-8884

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-10-20 iletisim@usom.gov.tr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 12:32 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in VHS Electronic Software Ltd. Co. ACE Center allows Privilege Abuse, Exploitation of Trusted Identifiers.

This issue affects ACE Center: from 3.10.100.1768 before 3.10.161.2255.

AnalysisAI

Authorization bypass via user-controlled key in ACE Center (VHS Electronic Software Ltd. Co.) allows a locally-authenticated low-privileged user to exploit trusted identifiers and access sensitive resources beyond their authorization level. Affected versions span 3.10.100.1768 through 3.10.161.2255, with high confidentiality impact (C:H) but no integrity or availability effect per the CVSS vector. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating no observed widespread exploitation at time of analysis.

Technical ContextAI

CWE-639 (Authorization Bypass Through User-Controlled Key) describes a class of flaws where an application uses a user-supplied value - such as a record ID, token, session identifier, or object reference - to look up or authorize access to a resource without performing a sufficient server-side ownership or privilege check. This is structurally equivalent to an Insecure Direct Object Reference (IDOR). In ACE Center, the application trusts a key supplied by the client to gate access to objects, enabling a low-privileged account holder to substitute or manipulate that key to retrieve data belonging to other users or higher-privilege roles. The CVSS local attack vector (AV:L) indicates the vulnerable interface is accessible locally - likely a thick-client application, locally-hosted web portal, or internal API endpoint - rather than exposed to the public internet by default. The vendor VHS Electronic Software Ltd. Co. appears to be a Turkish software provider, consistent with the vulnerability being reported and disclosed by Turkey's national CERT (USOM/SOME).

Affected ProductsAI

ACE Center by VHS Electronic Software Ltd. Co. is affected across versions from 3.10.100.1768 up to but not including 3.10.161.2255. No CPE strings were provided in the available intelligence. The Turkish national CERT (USOM) advisory TR-25-0348 is the primary disclosure source, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0348 and https://www.usom.gov.tr/bildirim/tr-25-0348.

RemediationAI

Upgrade ACE Center to version 3.10.161.2255 or later, which is identified in the CVE record as the boundary fix version; however, this version has not been independently confirmed as a formally released patch beyond the NVD/USOM disclosure - organizations should verify availability directly with VHS Electronic Software Ltd. Co. and consult the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0348. As an interim compensating control, restrict ACE Center access strictly to trusted, individually-vetted user accounts and eliminate shared or generic low-privileged credentials, since the attack requires an authenticated session; the trade-off is increased administrative overhead. Additionally, enabling audit logging on all object-access events can help detect anomalous key manipulation patterns before full exploitation is confirmed.

Share

CVE-2025-8884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy