Skip to main content

Aybs Interaktif CVE-2025-8887

MEDIUM
Information Exposure (CWE-200)
2025-10-10 iletisim@usom.gov.tr
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 12:32 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key, Missing Authorization, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Forceful Browsing, Parameter Injection, Input Data Manipulation.

This issue affects Aybs Interaktif: from 2024 through 28082025.

AnalysisAI

Authorization bypass and sensitive information disclosure in Usta Information Systems Inc. Aybs Interaktif allows a locally authenticated low-privilege user to access unauthorized data through forceful browsing, parameter injection, and input data manipulation. The vulnerability chain - CWE-639 (user-controlled key bypass) combined with CWE-862 (missing authorization) and CWE-200 (information disclosure) - permits manipulation of application parameters to circumvent access controls and retrieve sensitive records belonging to other users or restricted contexts. No confirmed active exploitation (not in CISA KEV), and the EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation pressure at time of analysis.

Technical ContextAI

Aybs Interaktif is an interactive management information system developed by the Turkish vendor Usta Information Systems Inc., with a date-based versioning scheme (affected from 2024 through version dated 28082025, i.e., August 28, 2025). The root cause is CWE-200 (Exposure of Sensitive Information), compounded by authorization design flaws: the application uses user-controlled keys (e.g., object IDs or record identifiers supplied via request parameters) to reference server-side resources without enforcing server-side authorization checks - a classic Insecure Direct Object Reference (IDOR) pattern. The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U indicates this is a locally-scoped application (intranet/internal deployment), reachable by authenticated local users with standard low-privilege accounts. The attack surface encompasses forceful browsing (direct URL access to restricted endpoints), parameter injection (injecting or altering record identifiers), and input data manipulation to traverse authorization boundaries.

Affected ProductsAI

Aybs Interaktif by Usta Information Systems Inc. is affected across all versions from the 2024 release through version 28082025 (date-versioned as August 28, 2025). No CPE string was provided in the NVD data. The vendor advisory and Turkish USOM notification are available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0329 and https://www.usom.gov.tr/bildirim/tr-25-0329. Deployments of Aybs Interaktif in any version within this date range on intranet or internal enterprise environments should be considered affected.

RemediationAI

The primary remediation is to apply any vendor-released patch or updated build published after August 28, 2025, per guidance in the Turkish USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0329. No exact fixed version number was confirmed in the available NVD or USOM data - contact Usta Information Systems Inc. directly to obtain the patched release. As compensating controls pending a patch: restrict access to the application strictly to authorized users via network-level controls (firewall rules, VPN enforcement), enforce role-based access controls at the network perimeter to prevent lateral access by unintended users, and enable application-level audit logging for all parameter-bearing requests to detect forceful browsing patterns. Note that network restriction reduces exposure but does not remediate the underlying missing server-side authorization - it only limits who can attempt exploitation. Review application code or configuration for any endpoints that resolve resource identifiers from user input without re-validating the requesting user's permission against that resource.

Share

CVE-2025-8887 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy