CVE-2023-37401 – IBM Aspera Faspex versions 5.0.0 through 5.0.13... (How to Fix)

Q: What is the severity of CVE-2023-37401?

CVE-2023-37401 has a CVSS score of 5.3 (MEDIUM). IBM Aspera Faspex versions 5.0.0 through 5.0.13.1 have an overly permissive cross-domain policy file that includes untrusted domains. This could allow attackers to perform cross-domain attacks against users. Organizations running affected Aspera Faspex installations are vulnerable.

📋 TL;DR

IBM Aspera Faspex versions 5.0.0 through 5.0.13.1 have an overly permissive cross-domain policy file that includes untrusted domains. This could allow attackers to perform cross-domain attacks against users. Organizations running affected Aspera Faspex installations are vulnerable.

💻 Affected Systems

Products:

IBM Aspera Faspex

Versions: 5.0.0 through 5.0.13.1

Operating Systems: All platforms running Aspera Faspex

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations within the affected version range are vulnerable.

📦 What is this software?

Aspera Faspex by Ibm

View all CVEs affecting Aspera Faspex →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could perform cross-site request forgery (CSRF) attacks, steal user session tokens, or execute malicious scripts in the context of the Aspera Faspex domain.

🟠

Likely Case

Cross-domain data theft or unauthorized actions performed on behalf of authenticated users through CSRF attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and web application firewalls are in place to block cross-domain requests.

🌐 Internet-Facing: MEDIUM - Internet-facing instances are exposed to potential cross-domain attacks from any malicious website.

🏢 Internal Only: LOW - Internal-only deployments reduce attack surface but still vulnerable to internal malicious sites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to lure a victim to a malicious website while authenticated to Aspera Faspex.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.13.2 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7247502

Restart Required: No

Instructions:

1. Download IBM Aspera Faspex version 5.0.13.2 or later from IBM Fix Central. 2. Follow IBM's upgrade documentation to apply the update. 3. Verify the crossdomain.xml file no longer contains untrusted domains.

🔧 Temporary Workarounds

Restrict crossdomain.xml access

all

Configure web server to restrict access to crossdomain.xml file or modify it to remove untrusted domains.

# Example: Modify crossdomain.xml to only include trusted domains
# Location: <aspera_install>/web/crossdomain.xml

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to restrict cross-domain requests.
Use web application firewall rules to block malicious cross-domain requests.

🔍 How to Verify

Check if Vulnerable:

Check the crossdomain.xml file in the Aspera Faspex web directory for inclusion of untrusted domains.

Check Version:

# On Aspera Faspex server, check version in admin interface or configuration files

Verify Fix Applied:

Verify crossdomain.xml file only contains explicitly trusted domains after update.

📡 Detection & Monitoring

Log Indicators:

Unusual cross-domain requests in web server logs
Requests to crossdomain.xml from unexpected sources

Network Indicators:

Cross-domain XMLHttpRequests to Aspera Faspex endpoints
Suspicious referrer headers in requests

SIEM Query:

web.url="*/crossdomain.xml" AND src_ip NOT IN [trusted_networks]

📊 Metadata

CVE ID: CVE-2023-37401

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-942

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: October 9, 2025

Last Updated: October 14, 2025

🔗 References

https://www.ibm.com/support/pages/node/7247502 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37401, you might also want to check these: