Description
IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19
Published: 2026-05-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the authentication logic of IBM Aspera High‑Speed Transfer Server for Cloud Pak for Integration allows an attacker to bypass credential checks and gain access to the system as if authenticated. The vulnerability is classified as CWE‑287 and can result in unauthorized reading, modification, or deletion of protected data and control operations. No escalation to elevated privileges is required; simply accessing the service as an authenticated user is sufficient to exploit the weakness.

Affected Systems

IBM Aspera High‑Speed Transfer Server for Cloud Pak for Integration, versions 1.5.1 through 1.5.19, are affected. The vulnerability is present in the product released under the CP4I bundle and has been identified by IBM's CNAs as a critical authentication deficiency. All other versions, including 1.5.20 and later, are not affected according to the advisory.

Risk and Exploitability

The CVSS vector is not published and the EPSS score is unavailable; the vulnerability is not listed in CISA's KEV catalog. Therefore, the public exploitation probability cannot be quantified, but the presence of a direct authentication bypass suggests a high potential for exploitation in environments where the Aspera service is exposed to network traffic. An attacker who can reach the vulnerable endpoints can craft a request that satisfies the authentication logic without providing valid credentials, thereby obtaining unrestricted access to the server and its data. The impact is wide, affecting confidentiality, integrity, and availability of the services it protects.

Generated by OpenCVE AI on May 27, 2026 at 19:55 UTC.

Remediation

Vendor Solution

Product(s)VRMFRemediation/First FixIBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)1.5.20- Access your charts to get the latest version

OpenCVE Recommended Actions

  • Upgrade to IBM Aspera High‑Speed Transfer Server for Cloud Pak for Integration version 1.5.20 or later, following IBM's release notes and configuration guidance.
  • Prior to upgrade, restrict network access to the Aspera service by applying firewall rules that limit inbound connections to trusted internal hosts only, blocking external traffic until the patch is applied.
  • Monitor authentication and access logs for anomalous activity, such as repeated unauthorized access attempts, to detect potential exploitation attempts.

Generated by OpenCVE AI on May 27, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19
Title Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration
First Time appeared Ibm
Ibm aspera Hsts For Cp4i
Weaknesses CWE-287
CPEs cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.19:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.1:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm aspera Hsts For Cp4i
References

Subscriptions

Ibm Aspera Hsts For Cp4i
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-28T14:21:59.902Z

Reserved: 2026-05-05T16:12:39.223Z

Link: CVE-2026-7876

cve-icon Vulnrichment

Updated: 2026-05-28T14:21:55.302Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-27T14:17:35.727

Modified: 2026-05-28T16:16:30.483

Link: CVE-2026-7876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T20:00:05Z

Weaknesses