CVE-2022-47986
CVE-2022-47986 is a critical-severity vulnerability in Ibm Aspera Faspex with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-02-21). The underlying weakness is classified as CWE-502.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-02-21)
- EU (EUVD) id: EUVD-2022-50700
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-02-21)
- Weakness: CWE-502
- Affected product: Ibm Aspera Faspex
- Published:
- Last modified:
Description
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
CVE-2022-47986: IBM Aspera Faspex YAML Deserialization RCE
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2022-47986 |
| Vendor | IBM |
| Product | Aspera Faspex |
| Severity | Critical (CVSS 3.1: 9.8) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-502: Deserialization of Untrusted Data |
| KEV | Yes — added 2023-02-21 |
| EPSS | 0.99968 (99.98th percentile) |
| Published | 2023-02-17 |
Summary
A YAML deserialization vulnerability in IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier allows unauthenticated remote attackers to execute arbitrary code on the target system by sending a specially crafted request to an obsolete API endpoint.
Background
IBM Aspera Faspex is a centralized file-exchange solution built on Aspera's high-speed transfer technology. It is widely deployed in enterprise and media workflows to send and receive large files. Faspex exposes several API endpoints for automation and integration; one such endpoint was deprecated but remained reachable in versions prior to 4.4.2 Patch Level 2, creating an unauthenticated attack surface.
Root Cause
The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. The obsolete API call accepted YAML payloads without adequate validation or sanitization. When an attacker supplies a malicious YAML document containing embedded object deserialization directives, the Faspex application processes it through a YAML parser configured to instantiate arbitrary objects. This leads to immediate remote code execution because the attacker can control the class and arguments being instantiated.
Impact
The CVSS 3.1 score of 9.8 (Critical) reflects the worst-case network exposure:
- Attack Vector (AV): Network — exploitable remotely without network segmentation bypasses.
- Attack Complexity (AC): Low — no special conditions or race windows are required.
- Privileges Required (PR): None — the vulnerable endpoint is reachable without authentication.
- User Interaction (UI): None — fully automated exploitation.
- Scope (S): Unchanged — impact remains within the vulnerable component.
- Confidentiality (C): High — complete data disclosure.
- Integrity (I): High — arbitrary modification of data or system state.
- Availability (A): High — system can be rendered unavailable or repurposed by the attacker.
Successful exploitation grants the attacker full control over the Faspex host with the privileges of the application service account.
Exploitation Walkthrough
Ethics caveat: The following description is provided for defensive awareness only. No weaponized exploit code is included, and the obsolete endpoint was removed by the vendor in the patched release.
- Reconnaissance — The attacker identifies a Faspex instance running version 4.4.2 PL1 or earlier (e.g., via banner extraction, exposed
/aspera/faspexpaths, or public asset discovery). - Endpoint probing — The attacker sends benign requests to the obsolete API route to confirm reachability. A valid but minimal YAML payload may be used to verify that the endpoint parses YAML rather than JSON or XML.
- Deserialization trigger — The attacker crafts a YAML payload that leverages the underlying parser's object-instantiation capabilities. In typical Ruby-based YAML parsers (common in Faspex's stack), this involves supplying a serialized object with a chosen class and attacker-controlled initialization arguments.
- Code execution — The instantiated object executes attacker-supplied logic during initialization or finalization, yielding a shell or reverse connection back to the attacker.
Defenders should treat any Faspex instance older than 4.4.2 PL2 as compromised until proven otherwise if it is internet-facing, given the EPSS score and confirmed in-the-wild exploitation.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier |
| Patched | IBM Aspera Faspex 4.4.2 Patch Level 2 and later |
The vendor removed the obsolete API call entirely in Patch Level 2, eliminating the attack surface rather than adding input validation alone.
Remediation
- Upgrade immediately — Apply IBM Aspera Faspex 4.4.2 Patch Level 2 (or the latest available release from IBM's support portal). The obsolete API is removed in this version.
- Compensating controls (if upgrade is delayed):
- Place the Faspex management interface behind a VPN or IP-restricted jump host; do not expose it directly to the internet.
- Deploy a Web Application Firewall (WAF) rule to block requests to the obsolete API path based on known URL patterns and YAML content-type indicators.
- Monitor for anomalous YAML payloads in HTTP request bodies.
- Reduce the service account privileges of the Faspex application to limit post-exploitation lateral movement.
Detection
- Network signatures — Monitor HTTP POST requests to legacy API paths that carry
Content-Typevalues associated with YAML (application/x-yaml,text/yaml, ortext/x-yaml). - Host indicators — Unexpected child processes spawned by the Faspex application server (e.g.,
/bin/sh,powershell.exe, or scripting interpreters) are strong indicators of successful exploitation. - File integrity — Review web server and application logs for 200 OK responses to the obsolete endpoint from unexpected source IPs.
- Threat-intel correlation — Cross-reference source IPs against CISA KEV and EUVD advisories for this CVE.
Assessment
With an EPSS of 0.99968 and confirmed inclusion in the CISA Known Exploited Vulnerabilities catalog since 2023-02-21, this flaw is not theoretical—attackers have been actively abusing it in the wild for over two years. The near-perfect EPSS percentile places it in the top fraction of a percent of all CVEs by probability of exploitation.
Key lessons:
- Remove deprecated endpoints — Input validation alone is insufficient; unused or obsolete APIs should be disabled or removed in security patches to shrink the attack surface.
- Deserialization is a critical control point — Any endpoint that parses serialized data formats (YAML, JSON, XML, Java serialized objects) must use strictly typed schemas and reject unexpected object types.
References
Frequently asked questions
- What is CVE-2022-47986?
- IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
- How severe is CVE-2022-47986?
- CVE-2022-47986 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-47986 being actively exploited?
- Yes. CVE-2022-47986 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-02-21, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-47986?
- CVE-2022-47986 primarily affects Ibm Aspera Faspex. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-47986?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-47986 have an EU (EUVD) identifier?
- Yes. CVE-2022-47986 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-50700. It is also flagged as exploited in the EUVD (since 2023-02-21).
- When was CVE-2022-47986 published?
- CVE-2022-47986 was published on 2023-02-17 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/243512
- https://www.ibm.com/support/pages/node/6952319
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47986
Affected products (3)
- cpe:2.3:a:ibm:aspera_faspex:*:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:aspera_faspex:4.4.2:-:*:*:*:*:*:*
- cpe:2.3:a:ibm:aspera_faspex:4.4.2:patch_level_1:*:*:*:*:*:*
More vulnerabilities in Ibm Aspera Faspex
- CVE-2023-27874 — Critical (CVSS 9.9): IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A…
- CVE-2023-37400 — High (CVSS 7.8): IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to escalate their privileges due to insecure credential…
- CVE-2023-30995 — High (CVSS 7.5): IBM Aspera Faspex 4.0 through 4.4.2 and 5.0 through 5.0.5 could allow a malicious actor to bypass IP whitelist…
- CVE-2023-27871 — High (CVSS 7.5): IBM Aspera Faspex 4.4.2 could allow a remote attacker to obtain sensitive credential information for an external user,…
- CVE-2023-27875 — High (CVSS 7.5): IBM Aspera Faspex 5.0.4 could allow a user to change other user's credentials due to improper access controls. IBM…
- CVE-2022-22497 — High (CVSS 7.5): IBM Aspera Faspex 4.4.1 and 5.0.0 could allow unauthorized access due to an incorrectly computed security token. IBM…
All CVEs affecting Ibm Aspera Faspex →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →