Product: IBM Aspera Faspex
Affected Versions: 5.0.0 – 5.0.14.1
Audience: SOC / AppSec / Infrastructure
Last Updated: December 2025
Overview
Three security vulnerabilities were identified in IBM Aspera Faspex 5 affecting input handling, object access controls, and authorization enforcement. All issues require authentication but only low-privileged access, making them realistic threats in enterprise environments where Faspex is widely used for internal and external file transfers.
CVE-2025-36230 – HTML Injection in Web Interface
Severity: Medium
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CWE: CWE-80
Exploit Status: No public PoC
Description
Faspex fails to consistently sanitize user-supplied input before rendering it in the web UI. HTML characters are not properly encoded, allowing injected content to be rendered directly in the victim’s browser.
Impact & Exploitation
An authenticated attacker can embed HTML or JavaScript in package metadata or messages and send it to other users. When the victim views the package, the injected content executes in their session, potentially allowing:
- Session cookie theft
- UI manipulation
- Phishing redirects
User interaction is required, but the trusted nature of file transfers increases the likelihood of exploitation.
MITRE ATT&CK
- T1189 – Drive-by Compromise
- T1185 – Browser Session Hijacking
- T1557 – Adversary-in-the-Middle
Detection
Monitor for:
- HTML tags in unexpected fields (
<script>,<img>,<iframe>) - Event handlers (
onerror=,onload=) - Encoded payloads (
%3Cscript,<script)
Splunk (Example):
index=webserver sourcetype=faspex_access
| rex field=request_body "(?<html_injection><script|<img|<iframe|onerror=|onload=|javascript:)"
| where isnotnull(html_injection)
| stats count by src_ip, user
| where count > 3
CVE-2025-36229 – Package ID Enumeration (IDOR)
Severity: Low
CVSS: 4.3
CWE: CWE-203
Exploit Status: No public PoC
Description
Package identifiers are predictable, and authorization checks are insufficient when requesting package metadata. Users can modify package IDs to determine the existence of packages they do not own.
Impact & Exploitation
An authenticated user can iterate package IDs and extract metadata such as:
- Sender and recipient identities
- File names and sizes
- Transfer timestamps
While files are not directly accessible, the exposed metadata can enable reconnaissance, business intelligence gathering, or targeted attacks.
MITRE ATT&CK
- T1087 – Account Discovery
- T1530 – Data from Cloud Storage
- T1190 – Exploit Public-Facing Application
Detection
Indicators:
- Sequential API requests to
/api/packages/{id} - High volumes of 403/404 responses
- Incrementing numeric patterns in requests
CVE-2025-36228 – Backend Authorization Bypass
Severity: Medium
CVSS: 6.5
CWE: CWE-602
Exploit Status: No public PoC
Description
Faspex relies on UI controls to restrict functionality, but backend APIs do not consistently validate user permissions. Disabled or hidden UI actions may still be executable via direct API calls.
Impact & Exploitation
An attacker can:
- Discover restricted endpoints using developer tools or traffic interception
- Replay or craft API requests directly
- Perform actions not permitted by their role
This could allow unauthorized administrative or bulk actions.
MITRE ATT&CK
- T1190 – Exploit Public-Facing Application
- T1548 – Abuse Elevation Control Mechanism
- T1565 – Data Manipulation
Detection
Watch for:
- Restricted API calls by non-admin users
- Unusual User-Agent strings
- Sensitive requests without UI navigation patterns
Remediation
Official Fix
| Item | Details |
|---|---|
| Affected Versions | 5.0.0 – 5.0.14.1 |
| Fixed Version | 5.0.15+ |
| Platform | Linux (container images) |
| Workarounds | None |
Patch Guidance:
https://www.ibm.com/docs/en/aspera-faspex/5.0?topic=upgrades-patching-container-images
Interim Controls
- Enforce WAF filtering for HTML/script input
- Rate-limit package-related APIs
- Enable detailed API logging
- Restrict Faspex access to trusted networks
- Review and minimize user permissions
Final Takeaway
These vulnerabilities reflect weaknesses in input validation and authorization enforcement. While no unauthenticated compromise is possible, authenticated abuse could result in session compromise, sensitive metadata exposure, and unauthorized actions.
| CVE | Type | Severity | Priority |
|---|---|---|---|
| CVE-2025-36230 | HTML Injection | Medium (5.4) | High |
| CVE-2025-36229 | Information Disclosure | Low (4.3) | Medium |
| CVE-2025-36228 | Authorization Bypass | Medium (6.5) | High |
