CVE-2025-36225 – IBM Aspera versions 5.0.0 through 5.0.13.1 cont... (How to Fix)

Q: What is the severity of CVE-2025-36225?

CVE-2025-36225 has a CVSS score of 4.3 (MEDIUM). IBM Aspera versions 5.0.0 through 5.0.13.1 contain an information disclosure vulnerability where authenticated users can access sensitive system information they shouldn't normally see. This occurs due to observable discrepancies in returned data. Organizations using affected IBM Aspera versions for high-speed file transfers are impacted.

📋 TL;DR

IBM Aspera versions 5.0.0 through 5.0.13.1 contain an information disclosure vulnerability where authenticated users can access sensitive system information they shouldn't normally see. This occurs due to observable discrepancies in returned data. Organizations using affected IBM Aspera versions for high-speed file transfers are impacted.

💻 Affected Systems

Products:

IBM Aspera

Versions: 5.0.0 through 5.0.13.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access; affects all default configurations of affected versions.

📦 What is this software?

Aspera Faspex by Ibm

View all CVEs affecting Aspera Faspex →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious insider or compromised account could access sensitive system information, user data, or configuration details that could facilitate further attacks.

🟠

Likely Case

Authenticated users accidentally or intentionally accessing information beyond their intended permissions, potentially exposing internal system details or user information.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to low-privilege information disclosure with minimal operational impact.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and understanding of the data discrepancy patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.13.2 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7247502

Restart Required: No

Instructions:

1. Download IBM Aspera version 5.0.13.2 or later from IBM Fix Central. 2. Follow IBM's upgrade documentation for your deployment type. 3. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict User Access

all

Limit authenticated user permissions to minimum required access levels

🧯 If You Can't Patch

Implement strict access controls and principle of least privilege for all Aspera users
Enable detailed logging and monitoring for unusual data access patterns

🔍 How to Verify

Check if Vulnerable:

Check Aspera version via admin console or configuration files; if version is between 5.0.0 and 5.0.13.1 inclusive, system is vulnerable.

Check Version:

Check Aspera configuration files or admin interface for version information

Verify Fix Applied:

Confirm Aspera version is 5.0.13.2 or later and test that authenticated users cannot access unauthorized information.

📡 Detection & Monitoring

Log Indicators:

Unusual data access patterns by authenticated users
Multiple requests for system information

Network Indicators:

Abnormal data retrieval patterns in Aspera protocol traffic

SIEM Query:

Search for Aspera logs showing information disclosure attempts or unusual data access

📊 Metadata

CVE ID: CVE-2025-36225

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-203

EPSS Score: 0.05% exploit probability (14.4th percentile)

Published: October 9, 2025

Last Updated: October 14, 2025

🔗 References

https://www.ibm.com/support/pages/node/7247502 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36225, you might also want to check these: