Skip to main content

IBM Aspera HSTS CVE-2026-9035

| EUVDEUVD-2026-32503 MEDIUM
Path Traversal (CWE-22)
2026-05-27 psirt@us.ibm.com GHSA-2qr9-h6wh-7p92
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:18 vuln.today

DescriptionCVE.org

IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to.

AnalysisAI

Path traversal in the asperahttpd HTTP component of IBM Aspera High-Speed Transfer Endpoint and Server (versions 3.7.4 through 4.4.7 Fix Pack 1) enables authenticated network users to read arbitrary files from the server's local filesystem beyond their authorized scope. The vulnerability is classified CWE-22 and carries a CVSS 6.5 medium score, reflecting high confidentiality impact with no integrity or availability exposure. No public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation status as none with partial technical impact, suggesting limited immediate threat despite the sensitive nature of file read primitives in a file-transfer product.

Technical ContextAI

The vulnerability resides in asperahttpd, the embedded HTTP server component within IBM Aspera High-Speed Transfer products - software widely deployed for large-scale, high-throughput file transfers in enterprise and media workflows. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, or 'Path Traversal') describes the root cause: the asperahttpd component fails to adequately sanitize or normalize file path inputs, allowing sequences such as '../' to escape the intended directory boundary and reference arbitrary locations on the server's local storage. Affected products span both the Endpoint variant (client-side agent) and the Server variant (IBM Aspera High-Speed Transfer Server), both in the version range 3.7.4 through 4.4.7 Fix Pack 1 per EUVD-2026-32503. No CPE string was supplied in the available intelligence, so exact CPE identifiers should be confirmed against the IBM advisory at https://www.ibm.com/support/pages/node/7273615.

RemediationAI

Apply the vendor-released fix documented in IBM security advisory at https://www.ibm.com/support/pages/node/7273615 - the exact patched version is not present in the available intelligence data and must be confirmed directly from that advisory before upgrade planning. Until patching is complete, compensating controls include restricting network access to the asperahttpd service port to known trusted IP ranges via firewall rules, which limits the authenticated attack surface to a smaller set of potential abusers; the trade-off is reduced accessibility for legitimate remote users. Additionally, audit and enforce the principle of least privilege on all Aspera user accounts - accounts with minimal transfer permissions reduce the value of any file read achieved. Monitoring asperahttpd access logs for path traversal patterns (repeated '../' sequences or requests targeting '/etc/', '/var/', or credential directories) provides early detection. Note that path normalization at a reverse proxy (e.g., nginx) in front of asperahttpd could neutralize traversal sequences but introduces deployment complexity and should be tested against Aspera's protocol requirements.

Share

CVE-2026-9035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy