Description
IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
Published: 2026-04-01
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Impersonation
Action: Apply Patch
AI Analysis

Impact

A flaw in IBM Aspera Shares versions 1.9.9 through 1.11.0 causes the system to fail to invalidate a session after a password reset. An authenticated user who resets a password can continue to use the session to act as another user, potentially accessing data or functionalities that belong to that other account. The weakness is a lack of session invalidation, identified as CWE‑613.

Affected Systems

The affected product is IBM Aspera Shares on both Windows and Linux platforms. Users running any release from 1.9.9 up to and including 1.11.0 are vulnerable; newer releases such as 1.11.1 contain the fix.

Risk and Exploitability

The vulnerability scores a CVSS of 6.3, placing it in the medium severity range, and the EPSS indicates an exploitation probability of less than 1%. It is not currently listed in the CISA KEV catalog. Exploitation requires an attacker to be an authenticated user with the ability to reset a password; once that condition is met, the attacker can impersonate any other user without needing additional privileges.

Generated by OpenCVE AI on April 6, 2026 at 19:27 UTC.

Remediation

Vendor Solution

Product(s)Fixing VRMPlatformLink to FixIBM Aspera Shares1.11.1 Windows click here https://www.ibm.com/support/fixcentral/swg/selectFixes IBM Aspera Shares1.11.1 Linux click here https://www.ibm.com/support/fixcentral/swg/selectFixes

OpenCVE Recommended Actions

  • Apply the IBM Aspera Shares 1.11.1 patch for Windows using the provided fix link.
  • Apply the IBM Aspera Shares 1.11.1 patch for Linux using the provided fix link.
  • Verify that the installed version is at least 1.11.1 and no earlier versions are in use.

Generated by OpenCVE AI on April 6, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:aspera_shares:*:-:*:*:*:*:*:*

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
Title Multiple vulnerabilities have been addressed in IBM Aspera Shares
First Time appeared Ibm
Ibm aspera Shares
Weaknesses CWE-613
CPEs cpe:2.3:a:ibm:aspera_shares:1.11.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_shares:1.9.9:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm aspera Shares
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Ibm Aspera Shares
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-02T13:33:16.193Z

Reserved: 2025-12-02T18:42:37.816Z

Link: CVE-2025-66483

cve-icon Vulnrichment

Updated: 2026-04-02T13:28:31.166Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T23:17:01.940

Modified: 2026-04-06T16:20:54.160

Link: CVE-2025-66483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:25Z

Weaknesses