Platform
ibm
Component
aspera-shares
Fixed in
1.11.1
CVE-2025-66487 describes a denial-of-service (DoS) vulnerability affecting IBM Aspera Shares versions 1.9.9 through 1.11.0. This flaw arises from a lack of proper rate limiting on email sending by authenticated users, allowing for potential email flooding. While the CVSS score is LOW (2.7), the impact can still disrupt service availability. A fix is expected from IBM.
The primary impact of CVE-2025-66487 is a denial-of-service condition. An attacker, having authenticated access to the Aspera Shares system, could exploit this vulnerability by sending a high volume of emails. This flood of emails could overwhelm the system's resources, including mail servers and network bandwidth, rendering the Aspera Shares application unavailable to legitimate users. The attacker does not gain unauthorized access to data, but can effectively disrupt business operations relying on Aspera Shares. While the CVSS score is low, the impact on critical workflows should not be underestimated.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not currently available. Given the LOW CVSS score and the requirement for authenticated access, the probability of widespread exploitation is considered low. The vulnerability was publicly disclosed on 2026-04-01.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66487 is to upgrade to a patched version of IBM Aspera Shares as soon as it becomes available. Until a patch is applied, implement rate limiting on email sending functionality within Aspera Shares. This can be achieved through configuration changes or by deploying a Web Application Firewall (WAF) or proxy server to filter excessive email requests. Monitor email server logs for unusual activity and consider implementing intrusion detection system (IDS) rules to identify potential email flooding attacks. After upgrade, confirm functionality by sending a test email and verifying it is processed correctly.
Actualice IBM Aspera Shares a una versión posterior a la 1.11.0 para corregir la vulnerabilidad de limitación de frecuencia de correo electrónico. Esto evitará el posible desbordamiento de correo electrónico y la denegación de servicio.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66487 is a denial-of-service vulnerability in IBM Aspera Shares versions 1.9.9 through 1.11.0, allowing authenticated users to flood the system with emails.
You are affected if you are running IBM Aspera Shares versions 1.9.9 through 1.11.0 and have not applied the available fix.
Upgrade to a patched version of IBM Aspera Shares as soon as it becomes available. Implement rate limiting on email sending as an interim measure.
There is currently no evidence of active exploitation, but the vulnerability remains present in unpatched systems.
Refer to the official IBM Security Bulletin for CVE-2025-66487 once published on the IBM Security Support website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.