⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2023-03-14.
CVE-2022-47986 — Deserialization of Untrusted Data in IBM Aspera Faspex
Severity
9.8CRITICALNVD
EPSS
94.3%
top 0.04%
CISA KEV
KEVRansomware
Added 2023-02-21
Due 2023-03-14
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedFeb 17
KEV addedFeb 21
KEV dueMar 14
Latest updateOct 29
CISA Required Action: Apply updates per vendor instructions.
Description
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
Patches
🔴Vulnerability Details
3💥Exploits & PoCs
2Nuclei▶
IBM Aspera Faspex <=4.4.2 PL1 - Remote Code Execution