Aybs Interaktif CVE-2025-8886
MEDIUMSeverity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privilege Abuse, Authentication Bypass.
This issue affects Aybs Interaktif: from 2024 through 28082025.
AnalysisAI
Privilege abuse and authentication bypass in Aybs Interaktif (by Usta Information Systems Inc.) expose high-confidentiality and high-integrity impacts to local attackers who require no prior privileges. The vulnerability cluster - spanning incorrect permission assignment, missing authorization, incorrect authorization, and sensitive data exposure (CWE-200) - enables an actor with local system access to bypass access controls, potentially reading sensitive resources and modifying data without authorization. No public exploit or CISA KEV listing is identified at time of analysis, but the Turkish National CERT (USOM) has issued advisory TR-25-0329 covering all versions from 2024 through build 28082025.
Technical ContextAI
Aybs Interaktif is a Turkish interactive information management platform developed by Usta Information Systems Inc. The vulnerability cluster encompasses four distinct weakness classes: CWE-732 (Incorrect Permission Assignment for Critical Resource), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization). The root cause pattern indicates that critical application resources lack properly enforced access controls - permissions are either misconfigured, not checked at all, or validated incorrectly, allowing a local actor to reach data or functionality reserved for privileged roles. The CVSS vector AV:L/AC:H/PR:N/UI:N/S:U confirms the vulnerability is exercised locally (not over a network), requires no privileges on the target, demands no user interaction, and is contained within the application's security scope. AC:H signals that exploitation is not straightforward and likely depends on specific system state, race conditions, or precise timing.
Affected ProductsAI
Aybs Interaktif by Usta Information Systems Inc. is affected across all versions from the 2024 release through build dated 28082025 (interpreted as August 28, 2025). No CPE string was provided in the source data. The full version range is defined in USOM advisory TR-25-0329, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0329 and https://www.usom.gov.tr/bildirim/tr-25-0329. No platform-specific scoping (e.g., Windows-only or web-only deployment) was identified from available data.
RemediationAI
Consult the USOM advisory TR-25-0329 at https://www.usom.gov.tr/bildirim/tr-25-0329 for vendor-specific patching guidance - a patched release version is not independently confirmed from the data provided, as the affected range ends at build 28082025 without an explicit successor version named. Contact Usta Information Systems Inc. directly to confirm whether a remediated build has been issued. As interim compensating controls, restrict local access to systems running Aybs Interaktif to the minimum required user set, applying OS-level access controls and audit logging to detect unauthorized privilege escalation attempts. Review and tighten file system and resource permissions on directories used by the application to close the incorrect permission assignment vector. If the application is deployed in a shared or multi-tenant environment, consider isolating it to a dedicated host or container until the vendor confirms a patched version. Note that these controls reduce the attack surface but do not eliminate the underlying authorization flaws.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today