CVE-2025-41086

Authorization bypass in GAMS from GAMS Development Corp.

CVSS 6.9 MEDIUMEPSS 0.2%CWE-639

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.9EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

02 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Vulnerability in the access control system of the GAMS licensing system that allows unlimited valid licenses to be generated, bypassing any usage restrictions. The validator uses an insecure checksum algorithm; knowing this algorithm and the format of the license lines, an attacker can recalculate the checksum and generate a valid license to grant themselves full privileges without credentials or access to the source code, allowing them unrestricted access to GAMS's mathematical models and commercial solvers.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

AMS Development Corp. · GAMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.gams.com/latest/docs/RN_51.html https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-gams-gams-development-corp