Description
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Aspera High‑Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 contain a flaw in the asperahttpd component that enables an authenticated user to read files from the server’s local file system that they should not have access to. This represents a confidentiality breach where sensitive data could be disclosed to accounts with legitimate access to the service but without permission to view the underlying files. The weakness is identified as a path traversal type flaw, corresponding to CWE‑22.

Affected Systems

The affected products are IBM Aspera High‑Speed Transfer Endpoint and IBM Aspera High‑Speed Transfer Server. Vulnerable builds include all releases starting at 3.7.4 and up through 4.4.7 Fix Pack 1. Any system running these versions is at risk until remediation is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑severity vulnerability. Because the exploit requires authentication, the attack vector is limited to users who already have valid credentials to the Aspera service. The EPSS score is not available, so the current probability of an active exploit is unknown. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known attacks have been reported to date. Nonetheless, an authenticated attacker could read arbitrary files, potentially exposing confidential information or enabling lateral movement within the infrastructure.

Generated by OpenCVE AI on May 27, 2026 at 19:57 UTC.

Remediation

Vendor Solution

Product(s)VRMFRemediation/First FixIBM Aspera High-Speed Transfer Server4.4.7 Fix Pack 2Link to latest release (4.4.7 FP 2)IBM Aspera High-Speed Transfer Endpoint4.4.7 Fix Pack 2Link to latest release (4.4.7 FP 2)

OpenCVE Recommended Actions

  • Apply IBM Aspera High‑Speed Transfer Server 4.4.7 Fix Pack 2 and IBM Aspera High‑Speed Transfer Endpoint 4.4.7 Fix Pack 2 to the affected systems
  • Reconfigure or limit the asperahttpd service to bind only to trusted interfaces and disable public access when it is not required
  • Enforce least‑privilege for all accounts that authenticate to the Aspera service, and disable or remove unused or unnecessary user accounts

Generated by OpenCVE AI on May 27, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:aspera_high-speed_transfer_endpoint:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_high-speed_transfer_endpoint:4.4.7:-:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_high-speed_transfer_endpoint:4.4.7:fixpack1:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_high-speed_transfer_server:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_high-speed_transfer_server:4.4.7:-:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_high-speed_transfer_server:4.4.7:fixpack1:*:*:*:*:*:*

Thu, 28 May 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aspera High-speed Transfer Endpoint
Ibm aspera High-speed Transfer Server
Vendors & Products Ibm aspera High-speed Transfer Endpoint
Ibm aspera High-speed Transfer Server

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to.
Title Multiple vulnerabilities in Aspera applications.
First Time appeared Ibm
Ibm aspera High Speed Transfer Endpoint
Ibm aspera High Speed Transfer Server
Weaknesses CWE-22
CPEs cpe:2.3:a:ibm:aspera_high_speed_transfer_endpoint:3.7.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_high_speed_transfer_endpoint:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_high_speed_transfer_server:3.7.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_high_speed_transfer_server:4.4.7:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm aspera High Speed Transfer Endpoint
Ibm aspera High Speed Transfer Server
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Aspera High-speed Transfer Endpoint Aspera High-speed Transfer Server Aspera High Speed Transfer Endpoint Aspera High Speed Transfer Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-27T14:47:20.101Z

Reserved: 2026-05-19T16:39:18.455Z

Link: CVE-2026-9035

cve-icon Vulnrichment

Updated: 2026-05-27T14:47:13.357Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:38.913

Modified: 2026-06-05T18:57:10.903

Link: CVE-2026-9035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T01:15:03Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')