Recently Patched IBM Aspera Faspex Vulnerability Exploited in the Wild
15-Feb-23
Aspera Faspex file transfer software users are being cautioned that a newly fixed vulnerability is already being used in the public. The YAML deserialization bug, identified as CVE-2022-47986 and rated as “high severity,” allows a remote attacker to execute arbitrary code by leveraging carefully designed API requests. Researchers at Assetnote, a company that manages attack surfaces, found the problem in October 2022 and informed IBM about it. In January 2023, IBM provided a fix and let users know about it. Assetnote detailed the vulnerability in a blog post on February 2—about a week after IBM’s warning was released—and stated that an unauthenticated attacker can use CVE-2022-47986 to execute arbitrary instructions on the affected Aspera system.
