Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19
AnalysisAI
Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 through 1.5.19 allows remote attackers to access and modify protected resources without valid credentials, scoring CVSS 9.1 critical. The flaw exposes confidential file transfer data and permits unauthorized modification of integrity-protected assets across all affected releases. No public exploit identified at time of analysis, and EPSS predicts only a 0.02% near-term exploitation probability despite the high severity rating.
Technical ContextAI
IBM Aspera HSTS is a FASP-protocol-based high-speed transfer server bundled into the IBM Cloud Pak for Integration (CP4I) platform, used for moving large datasets across enterprise and hybrid-cloud boundaries. The vulnerability is classified as CWE-287 (Improper Authentication), meaning the server fails to correctly verify the identity of a client before granting access to functionality or data - typical root causes in this class include missing credential checks on a protected endpoint, mishandled token validation, or trust placed in attacker-controlled identity claims. Because Aspera HSTS commonly fronts file-transfer APIs and management endpoints, an authentication weakness directly undermines the trust boundary the product is meant to enforce. No CPE strings were provided in the input, so exact configuration scope (e.g., specific service component or auth mechanism) must be confirmed from the IBM advisory.
RemediationAI
Patch availability is not explicitly enumerated in the provided intelligence, so treat this as: patch available per vendor advisory - consult https://www.ibm.com/support/pages/node/7274127 for the fixed CP4I/Aspera HSTS release and apply the vendor-recommended upgrade above 1.5.19 once confirmed. Until the patched version is deployed, restrict network reachability to Aspera HSTS management and transfer endpoints by placing them behind a VPN or zero-trust gateway, enforce IP allowlisting on the Cloud Pak for Integration ingress, and require an authenticating reverse proxy (e.g., mTLS or SSO at the edge) in front of the service so that the vulnerable code path is not exposed to unauthenticated callers - note that proxy-fronting may break Aspera FASP UDP transfers, so test transfer throughput before enforcing. Increase audit logging on Aspera authentication and file-transfer events to detect any anomalous access during the exposure window.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32506
GHSA-r5m9-vqmc-c77r