EUVD-2025-208660CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
Analysis
IBM Aspera Console versions 3.3.0 through 3.4.8 contain a username enumeration vulnerability caused by observable response discrepancies in authentication mechanisms. An unauthenticated remote attacker can exploit this to enumerate valid usernames through response analysis, enabling reconnaissance for subsequent targeted attacks. With a CVSS score of 5.3 and low attack complexity, this is a low-to-moderate severity information disclosure issue suitable for standard patch management cycles rather than emergency response.
Technical Context
The vulnerability exists in IBM Aspera Console (cpe:2.3:a:ibm:aspera_console) and falls under CWE-204 (Observable Response Discrepancy), a timing or behavioral analysis class where the system leaks information through differences in error messages, response times, or HTTP status codes during authentication attempts. In this case, the Aspera Console authentication handler likely returns distinguishable responses when presented with valid versus invalid usernames—for example, different HTTP status codes (401 vs 404), varying response lengths, or distinct error message strings. This allows attackers to systematically probe the application to determine which usernames exist in the system without needing valid credentials. The vulnerability is specific to the Aspera Console product line, a commercial file transfer and workflow acceleration platform commonly deployed in enterprise environments for high-performance data distribution.
Affected Products
IBM Aspera Console versions 3.3.0 through 3.4.8 are affected. The vulnerability is confirmed via the CPE cpe:2.3:a:ibm:aspera_console and affects all patch levels within this version range. IBM has released patched versions beyond 3.4.8 to remediate this issue. Refer to IBM's security advisory (IBM X-Force / PSIRT documentation) and the official Aspera product security notices for complete patch availability and supported upgrade paths specific to your deployment architecture.
Remediation
Immediately upgrade IBM Aspera Console to version 3.4.9 or later, or to the latest 3.5.x release if available, following IBM's official patch guidance and pre-upgrade compatibility checks for your deployment. If immediate patching is not feasible, implement network-level access controls to restrict Aspera Console authentication endpoints to trusted IP ranges, disable or firewall any public-facing authentication interfaces, and deploy HTTP request logging to detect enumeration attempts (e.g., high volumes of failed login requests to the same endpoint with varying usernames). Enable multi-factor authentication where supported to reduce the impact of compromised credentials obtained through enumeration. Monitor Aspera console logs for suspicious authentication patterns and coordinate with identity and access management teams to enforce strong password policies that reduce the value of enumerated usernames to attackers.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today