Critical IBM Aspera Faspex Vulnerability Being Exploited by Ransomware Gangs

Ransomware gangs are targeting a critical vulnerability in the IBM Aspera Faspex application to gain access to enterprise networks. Aspera is a file-exchange application used by enterprises to rapidly transfer large files or large volumes of files. The application is based on IBM’s Fast, Adaptive, and Secure Protocol (FASP), which intelligently uses available network bandwidth to transfer files to shared inboxes, workgroups, or distribution lists. The solution has a web-based GUI and provides advanced management options to match organizations’ workflows.

In January 2023, IBM announced a critical vulnerability had been identified and patched. The vulnerability – CVE-2022-47986 – is a pre-authentication YAML deserialization vulnerability in Ruby on Rails code and has a CVSS severity score of 9.8. The flaw can be exploited by an unauthenticated attacker to remotely execute code by sending specially crafted calls to an outdated programming interface. On February 2, 2023, a working Proof-of-Concept exploit for the vulnerability was publicly released, and by February 12, 2023, the vulnerability was being exploited by ransomware gangs.

Researchers at Rapid7 and Sentinel One say a threat actor called IceFire is exploiting the vulnerability to deploy a new Linux version of their ransomware. IceFire typically targets large enterprises and uses a Windows version of its ransomware which is usually delivered via phishing emails; however, the Linux version of the ransomware is being pushed by exploiting the Aspera vulnerability. IceFire has historically targeted the technology sector but the recent attacks exploiting the CVE-2022-47986 vulnerability have been on companies in the media and entertainment sector.  There have also been reports that the vulnerability is being exploited by an unknown threat actor to deliver Buhti ransomware.

IBM says the vulnerability affects Aspera Faspex 4.4.2 Patch Level 1 and earlier versions, and that the vulnerability has been fully remediated in Aspera Faspex 4.4.2 Patch Level 2. Since the vulnerability is being actively exploited, emergency patching is strongly recommended.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of