CVE-2025-66837 – A file upload vulnerability in ARIS 10.0.23.0.3... (How to Fix)

📋 TL;DR

A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to upload malicious PDF files that can execute arbitrary code on the server. This affects organizations using the vulnerable ARIS version for business process management.

💻 Affected Systems

Products:

Software AG ARIS

Versions: 10.0.23.0.3587512

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects ARIS installations with file upload functionality enabled

📦 What is this software?

Aris by Softwareag

View all CVEs affecting Aris →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, or lateral movement across the network

🟠

Likely Case

Malware installation, data exfiltration, or creation of persistent backdoors

🟢

If Mitigated

Limited impact if file uploads are restricted and proper validation is in place

🌐 Internet-Facing: HIGH - If ARIS is exposed to the internet, attackers can directly exploit without network access

🏢 Internal Only: MEDIUM - Requires internal network access but could be exploited by malicious insiders or compromised internal systems

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires file upload access but doesn't need authentication if upload functionality is publicly accessible

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.softwareag.com/

Restart Required: No

Instructions:

1. Check Software AG website for security updates
2. Apply any available patches
3. Verify the fix doesn't break functionality

🔧 Temporary Workarounds

Restrict PDF file uploads

all

Block PDF file uploads through web application firewall or server configuration

Implement file validation

all

Add server-side validation to check file types and content before processing

🧯 If You Can't Patch

Isolate ARIS server from internet and restrict internal access
Implement strict file upload policies and monitor for suspicious uploads

🔍 How to Verify

Check if Vulnerable:

Check ARIS version in administration console or configuration files

Check Version:

Check ARIS administration panel or consult installation documentation

Verify Fix Applied:

Test file upload functionality with malicious PDF files to ensure they're rejected

📡 Detection & Monitoring

Log Indicators:

Unusual PDF file uploads
Large file uploads to ARIS endpoints
Suspicious process execution after file upload

Network Indicators:

HTTP POST requests to file upload endpoints with PDF content
Outbound connections from ARIS server after file upload

SIEM Query:

source="ARIS" AND (event="file_upload" AND file_extension="pdf")

📊 Metadata

CVE ID: CVE-2025-66837

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-434

EPSS Score: 0.05% exploit probability (13.8th percentile)

Published: January 7, 2026

Last Updated: January 21, 2026

🔗 References

https://github.com/saykino/CVE-2025-66837/ Third Party Advisory
https://www.softwareag.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66837, you might also want to check these: