Description
IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker to enumerate usernames due to an observable response discrepancy. This information disclosure is classified as CWE‑204 and could expose user identities, enabling potential social engineering or further attacks. The impact is limited to disclosure of sensitive information and does not provide direct code execution or privilege escalation.

Affected Systems

IBM Aspera Console versions 3.3.0 through 3.4.8 are affected on both Windows and Linux platforms. Versions higher than 3.4.8, such as 3.4.9, include the remediation and are not vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, while an EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the vulnerability via a remote network request to the console, without needing local privileges. The nature of the response discrepancy suggests that enumeration may be possible even without authentication, though the exact scope depends on the console configuration.

Generated by OpenCVE AI on March 17, 2026 at 17:51 UTC.

Remediation

Vendor Solution

Remediation/Fixes It is strongly recommended that customers upgrade to the latest version of IBM Aspera Console: Product(s) Fixing VRM Platform Link to Fix IBM Aspera Console 3.4.9 Windows Link IBM Aspera Console 3.4.9 Linux Link

OpenCVE Recommended Actions

  • Upgrade IBM Aspera Console to version 3.4.9 for Windows and Linux
  • Verify that the latest version is installed and running
  • If immediate upgrade is not possible, monitor for enumeration attempts and restrict access to the console

Generated by OpenCVE AI on March 17, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:aspera_console:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
Title IBM Aspera Console Information Disclosure
First Time appeared Ibm
Ibm aspera Console
Weaknesses CWE-204
CPEs cpe:2.3:a:ibm:aspera_console:3.3.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_console:3.4.8:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm aspera Console
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ibm Aspera Console
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-16T13:50:17.157Z

Reserved: 2025-11-19T21:22:07.209Z

Link: CVE-2025-13460

cve-icon Vulnrichment

Updated: 2026-03-16T13:50:13.219Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:54.903

Modified: 2026-03-17T15:50:01.287

Link: CVE-2025-13460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:05Z

Weaknesses