Skip to main content

IBM CVE-2025-13916

| EUVD-2025-209172 MEDIUM
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-04-01 ibm GHSA-4f66-hqm2-85m5
Information Disclosure IBM
5.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 21:15 euvd
EUVD-2025-209172
Analysis Generated
Apr 01, 2026 - 21:15 vuln.today
Patch released
Apr 01, 2026 - 21:15 nvd
Patch available
CVE Published
Apr 01, 2026 - 20:46 nvd
MEDIUM 5.9

DescriptionNVD

IBM Aspera Shares 1.9.9 through 1.11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information

AnalysisAI

IBM Aspera Shares versions 1.9.9 through 1.11.0 implements insufficient cryptographic strength that permits remote attackers without authentication to decrypt sensitive information. The vulnerability stems from use of weaker-than-expected cryptographic algorithms, allowing confidentiality breach of data protected by the application. A vendor patch is available.

Technical ContextAI

This vulnerability is rooted in CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), indicating that IBM Aspera Shares relies on cryptographic functions with reduced security margins. Rather than a complete cryptographic failure, the implementation uses algorithms or key strengths below industry expectations for the sensitivity of data being protected. The Aspera file transfer platform handles large-scale data movement and typically manages business-critical or confidential information, making cryptographic strength a core security requirement. The vulnerability affects the data encryption layer that protects information in transit or at rest within the affected versions.

RemediationAI

Upgrade IBM Aspera Shares to a version beyond 1.11.0 where the cryptographic algorithms have been strengthened. Consult the vendor advisory at https://www.ibm.com/support/pages/node/7267848 for exact patched version designation and deployment guidance. If immediate upgrade is not feasible, review network access controls to restrict Aspera Shares endpoints to trusted networks and implement additional encryption layers (such as VPN or TLS hardening) to reduce the attack surface. Do not delay patching, as the vulnerability allows remote decryption of sensitive data without authentication.

More from same product – last 7 days

CVE-2026-7524 CRITICAL
9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
CVE-2026-8175 CRITICAL
9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
CVE-2026-7876 CRITICAL
9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu
CVE-2026-5065 HIGH
8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
CVE-2026-8179 HIGH
8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

Share

CVE-2025-13916 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy