Threat Advisory

IBM Aspera Vulnerability Allows Authentication Bypass

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in IBM Aspera High‑Speed Transfer Server and Endpoint products (versions 3.7.4 through 4.4.7 Fix Pack 1). The flaws span improper authentication bypass, path traversal, and both heap‑ and stack‑based buffer overflows that can lead to denial‑of‑service, remote code execution, and unauthorized data disclosure. Collectively, these weaknesses expose enterprise file‑transfer networks to credential‑free access, data exfiltration, and service interruption, threatening critical business operations, regulatory compliance, and customer trust.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in IBM Aspera High‑Speed Transfer Server and Endpoint products (versions 3.7.4 through 4.4.7 Fix Pack 1). The flaws span improper authentication bypass, path traversal, and both heap‑ and stack‑based buffer overflows that can lead to denial‑of‑service, remote code execution, and unauthorized data disclosure. Collectively, these weaknesses expose enterprise file‑transfer networks to credential‑free access, data exfiltration, and service interruption, threatening critical business operations, regulatory compliance, and customer trust.[emaillocker id="1283"]

  • CVE-2026-7876 with a CVSS score of 9.1 – An authentication bypass allows a transfer client to access restricted files without credentials, requiring only network connectivity to the server.
  • CVE-2026-9035 with a CVSS score of 6.5 – A path traversal issue in asperahttpd lets authenticated users read arbitrary files, enabling insider data theft.
  • CVE-2026-8175 with a CVSS score of 9.8 – A heap‑based buffer overflow in asperahttpd can be triggered remotely to cause denial‑of‑service and may permit remote code execution or authentication bypass.
  • CVE-2026-8179 with a CVSS score of 8.8 – A stack‑based buffer overflow permits an authenticated user to achieve arbitrary code execution on the server.
  • CVE-2026-8180 with a CVSS score of 7.5 – A NULL pointer dereference can be exploited by an unauthenticated user to crash the service, leading to availability loss.

The aggregate risk is high, with multiple attack vectors that could be leveraged without user interaction, potentially resulting in data loss, service outages, and reputational damage. Immediate attention is required to prevent exploitation that could disrupt critical file‑transfer workflows and expose sensitive information.

RECOMMENDATION:

  • We recommend you to update IBM Aspera to version Fix Pack 2.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/ibm-aspera-vulnerabilities-patch/

[/emaillocker]
crossmenu