IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 FP1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 FP1 are vulnerable to a denial‑of‑service flaw in the asperahttpd component. This flaw can be triggered by an unauthenticated user, causing the service to crash and leading to an interruption of all data‑transfer operations. The issue is identified as a null pointer dereference, as indicated by CWE‑476, which results in abnormal termination of the process. No specific exploit details are publicly known, and the attack appears to require simple network-level access to the asperahttpd service.

IBM Aspera High-Speed Transfer Endpoint versions 3.7.4 through 4.4.7 FP1 and IBM Aspera High-Speed Transfer Server versions 3.7.4 through 4.4.7 FP1 are affected. Versions beyond 4.4.7 FP1, such as the Fix Pack 2 releases, are not impacted by this vulnerability. Both products are identified in the CPE namespace for the provided versions.

The CVSS score of 7.5 classifies this as a moderate‑severity vulnerability, while the EPSS score is currently not available, indicating no publicly known exploitation rate. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely without requiring authentication by simply sending a request to asperahttpd that triggers the null pointer dereference, resulting in a denial of service for all users.