CVE-2025-36229 – This vulnerability in IBM Aspera Faspex 5 allow... (How to Fix)

Q: What is the severity of CVE-2025-36229?

CVE-2025-36229 has a CVSS score of 3.1 (LOW). This vulnerability in IBM Aspera Faspex 5 allows authenticated users to enumerate sensitive information by discovering package identifiers. It affects organizations using IBM Aspera Faspex 5 versions 5.0.0 through 5.0.14.1 for high-speed file transfers.

📋 TL;DR

This vulnerability in IBM Aspera Faspex 5 allows authenticated users to enumerate sensitive information by discovering package identifiers. It affects organizations using IBM Aspera Faspex 5 versions 5.0.0 through 5.0.14.1 for high-speed file transfers.

💻 Affected Systems

Products:

IBM Aspera Faspex 5

Versions: 5.0.0 through 5.0.14.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; affects all deployment configurations.

📦 What is this software?

Aspera Faspex by Ibm

View all CVEs affecting Aspera Faspex →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map all data packages in the system, potentially identifying sensitive files and their metadata for targeted attacks.

🟠

Likely Case

Information disclosure allowing attackers to discover what data packages exist and potentially infer sensitive business activities.

🟢

If Mitigated

Limited information exposure with proper access controls and monitoring in place.

🌐 Internet-Facing: MEDIUM - Internet-facing instances could allow external authenticated attackers to enumerate data packages.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could still enumerate sensitive package information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple enumeration technique once authenticated.

Exploitation requires valid user credentials; enumeration likely involves API or interface queries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.14.2 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7255331

Restart Required: Yes

Instructions:

1. Download IBM Aspera Faspex 5 version 5.0.14.2 or later from IBM Fix Central. 2. Backup current configuration and data. 3. Install the update following IBM's installation guide. 4. Restart the Aspera Faspex service.

🔧 Temporary Workarounds

Restrict User Access

all

Limit authenticated user access to only necessary personnel and implement least privilege principles.

Enhanced Monitoring

all

Monitor for unusual enumeration patterns in application logs.

🧯 If You Can't Patch

Implement strict access controls and audit all authenticated user activities.
Segment the Aspera Faspex instance from sensitive networks and implement network monitoring.

🔍 How to Verify

Check if Vulnerable:

Check Aspera Faspex version via admin interface or configuration files; versions 5.0.0 through 5.0.14.1 are vulnerable.

Check Version:

Check Aspera Faspex admin console or configuration files for version information.

Verify Fix Applied:

Verify version is 5.0.14.2 or later and test that authenticated users cannot enumerate package IDs beyond their permissions.

📡 Detection & Monitoring

Log Indicators:

Unusual patterns of package ID queries
Multiple sequential package enumeration attempts from single users

Network Indicators:

High volume of API calls to package endpoints
Patterned requests for sequential package IDs

SIEM Query:

source="aspera_faspex" AND (event_type="package_query" OR api_endpoint="/packages/*") AND count > threshold

📊 Metadata

CVE ID: CVE-2025-36229

CVSS v3 Score: 3.1 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-497

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: December 26, 2025

Last Updated: December 29, 2025

🔗 References

https://www.ibm.com/support/pages/node/7255331 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36229, you might also want to check these: