Skip to main content

Aspera Console CVE-2025-13212

| EUVD-2025-208657 MEDIUM
Improper Control of Interaction Frequency (CWE-799)
2026-03-13 ibm
Denial Of Service IBM Aspera Console
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 17, 2026 - 15:49 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 21:01 euvd
EUVD-2025-208657
Analysis Generated
Mar 13, 2026 - 21:01 vuln.today
CVE Published
Mar 13, 2026 - 19:54 nvd
MEDIUM 5.3

DescriptionNVD

IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.

AnalysisAI

IBM Aspera Console versions 3.3.0 through 3.4.8 contain an improper rate-limiting vulnerability in the email service that allows authenticated users to trigger a denial of service condition. An attacker with valid credentials can abuse the email functionality by sending requests at excessive frequencies, exhausting service resources and rendering the email feature unavailable to legitimate users. This vulnerability requires authentication and does not provide confidentiality or integrity impact, resulting in a moderate CVSS score of 5.3.

Technical ContextAI

The vulnerability exists in IBM Aspera Console's email service component, which fails to implement adequate rate-limiting or request throttling mechanisms. This falls under CWE-799 (Improper Control of Interaction Frequency), a weakness category that encompasses scenarios where applications do not properly restrict the frequency or volume of interactions from users. The affected software is identified via CPE string cpe:2.3:a:ibm:aspera_console, spanning versions 3.3.0 through 3.4.8. The email service likely uses standard SMTP or internal mail relay mechanisms, but lacks authentication-based quotas or per-user request frequency controls that would prevent abuse by authenticated actors.

RemediationAI

Upgrade IBM Aspera Console to version 3.4.9 or later (specific version availability should be confirmed via IBM's security advisory). Organizations unable to patch immediately should implement compensating controls by restricting network access to the Aspera Console email service to trusted internal networks only, implementing authentication-based rate-limiting at a reverse proxy or WAF level to cap email service requests per authenticated user, and monitoring email service logs for unusual request frequency patterns. Enable multi-factor authentication on all Aspera Console administrative accounts to reduce the risk of compromised credentials being used for abuse.

More from same product – last 7 days

CVE-2026-7524 CRITICAL
9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
CVE-2026-8175 CRITICAL
9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
CVE-2026-7876 CRITICAL
9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu
CVE-2026-5065 HIGH
8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
CVE-2026-8179 HIGH
8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

Share

CVE-2025-13212 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy