CVE-2025-66838

MEDIUM

ARIS < 10.0.23.0.3587512 - Resource Exhaustion via Unrestricted File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-66838. PoCs published by saykino.

AI-analyzed exploit summary This repository contains a writeup for CVE-2025-66838, detailing a lack of rate limiting in the file upload API of ARIS software, leading to potential denial of service (DoS) via resource exhaustion.

Description

In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. An attacker can exploit this behavior to rapidly upload a large volume of files, potentially leading to resource exhaustion such as disk space depletion, increased server load, or degraded performance

Exploits (1)

nomisec WRITEUP

by saykino · poc

https://github.com/saykino/CVE-2025-66838

View Code ZIP pw:eip

This repository contains a writeup for CVE-2025-66838, detailing a lack of rate limiting in the file upload API of ARIS software, leading to potential denial of service (DoS) via resource exhaustion.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: ARIS versions before or equal to 10.0.23.0.3587512

Auth required

Prerequisites: Authenticated access to the file upload API

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory

https://github.com/saykino/CVE-2025-66838/

View Writeup ZIP pw:eip

Product

https://www.softwareag.com/

Scores

CVSS v3 6.5

EPSS 0.0031

EPSS Percentile 22.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (1)

softwareag/aris < 10.0.23.0.3587512

Published Jan 07, 2026

Tracked Since Feb 18, 2026