Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Aspera Shares 1.9.9 through 1.11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information
AnalysisAI
IBM Aspera Shares versions 1.9.9 through 1.11.0 implements insufficient cryptographic strength that permits remote attackers without authentication to decrypt sensitive information. The vulnerability stems from use of weaker-than-expected cryptographic algorithms, allowing confidentiality breach of data protected by the application. A vendor patch is available.
Technical ContextAI
This vulnerability is rooted in CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), indicating that IBM Aspera Shares relies on cryptographic functions with reduced security margins. Rather than a complete cryptographic failure, the implementation uses algorithms or key strengths below industry expectations for the sensitivity of data being protected. The Aspera file transfer platform handles large-scale data movement and typically manages business-critical or confidential information, making cryptographic strength a core security requirement. The vulnerability affects the data encryption layer that protects information in transit or at rest within the affected versions.
RemediationAI
Upgrade IBM Aspera Shares to a version beyond 1.11.0 where the cryptographic algorithms have been strengthened. Consult the vendor advisory at https://www.ibm.com/support/pages/node/7267848 for exact patched version designation and deployment guidance. If immediate upgrade is not feasible, review network access controls to restrict Aspera Shares endpoints to trusted networks and implement additional encryption layers (such as VPN or TLS hardening) to reduce the attack surface. Do not delay patching, as the vulnerability allows remote decryption of sensitive data without authentication.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209172
GHSA-4f66-hqm2-85m5