CVE-2025-36228 – IBM Aspera Faspex 5 versions 5.0.0 through 5.0.... (How to Fix)

Q: What is the severity of CVE-2025-36228?

CVE-2025-36228 has a CVSS score of 3.8 (LOW). IBM Aspera Faspex 5 versions 5.0.0 through 5.0.14.1 have inconsistent permissions between the user interface and backend API, allowing users to access features that appear disabled in the UI. This could lead to unauthorized functionality access. Organizations using affected versions of IBM Aspera Faspex 5 are impacted.

📋 TL;DR

IBM Aspera Faspex 5 versions 5.0.0 through 5.0.14.1 have inconsistent permissions between the user interface and backend API, allowing users to access features that appear disabled in the UI. This could lead to unauthorized functionality access. Organizations using affected versions of IBM Aspera Faspex 5 are impacted.

💻 Affected Systems

Products:

IBM Aspera Faspex 5

Versions: 5.0.0 through 5.0.14.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with affected versions are vulnerable regardless of configuration.

📦 What is this software?

Aspera Faspex by Ibm

View all CVEs affecting Aspera Faspex →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could access administrative or sensitive features that should be disabled, potentially leading to data exposure, unauthorized file transfers, or privilege escalation.

🟠

Likely Case

Users inadvertently or intentionally access features they shouldn't have permission to use, leading to policy violations or unintended data access.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor policy violations with no data compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access and knowledge of API endpoints that appear disabled in UI.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.14.2 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7255331

Restart Required: Yes

Instructions:

1. Download IBM Aspera Faspex 5 version 5.0.14.2 or later from IBM Fix Central. 2. Backup current installation and configuration. 3. Apply the update following IBM's installation guide. 4. Restart the Aspera Faspex service.

🔧 Temporary Workarounds

Restrict API Access

all

Implement network-level restrictions to limit API access to authorized users only.

🧯 If You Can't Patch

Implement strict access controls and user permissions monitoring.
Disable or restrict API endpoints not required for business operations.

🔍 How to Verify

Check if Vulnerable:

Check Aspera Faspex version via admin console or configuration files. If version is between 5.0.0 and 5.0.14.1 inclusive, system is vulnerable.

Check Version:

Check Aspera Faspex web interface admin panel or configuration files for version information.

Verify Fix Applied:

Verify version is 5.0.14.2 or later and test that UI-disabled features cannot be accessed via API.

📡 Detection & Monitoring

Log Indicators:

Unusual API access patterns
Access to endpoints that should be disabled per UI configuration
Permission violation alerts

Network Indicators:

API requests to endpoints that appear disabled in UI
Unexpected data transfer patterns

SIEM Query:

Search for Aspera Faspex API access logs where endpoint access contradicts UI permission settings.

📊 Metadata

CVE ID: CVE-2025-36228

CVSS v3 Score: 3.8 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-279

EPSS Score: 0.03% exploit probability (6.6th percentile)

Published: December 26, 2025

Last Updated: December 29, 2025

🔗 References

https://www.ibm.com/support/pages/node/7255331 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36228, you might also want to check these: