CVE-2022-47986

CVE-2022-47986 is a critical-severity vulnerability in Ibm Aspera Faspex with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-02-21). The underlying weakness is classified as CWE-502.

Key facts

Description

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

CVE-2022-47986: IBM Aspera Faspex YAML Deserialization RCE

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2022-47986
Vendor IBM
Product Aspera Faspex
Severity Critical (CVSS 3.1: 9.8)
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-502: Deserialization of Untrusted Data
KEV Yes — added 2023-02-21
EPSS 0.99968 (99.98th percentile)
Published 2023-02-17

Summary

A YAML deserialization vulnerability in IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier allows unauthenticated remote attackers to execute arbitrary code on the target system by sending a specially crafted request to an obsolete API endpoint.

Background

IBM Aspera Faspex is a centralized file-exchange solution built on Aspera's high-speed transfer technology. It is widely deployed in enterprise and media workflows to send and receive large files. Faspex exposes several API endpoints for automation and integration; one such endpoint was deprecated but remained reachable in versions prior to 4.4.2 Patch Level 2, creating an unauthenticated attack surface.

Root Cause

The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. The obsolete API call accepted YAML payloads without adequate validation or sanitization. When an attacker supplies a malicious YAML document containing embedded object deserialization directives, the Faspex application processes it through a YAML parser configured to instantiate arbitrary objects. This leads to immediate remote code execution because the attacker can control the class and arguments being instantiated.

Impact

The CVSS 3.1 score of 9.8 (Critical) reflects the worst-case network exposure:

  • Attack Vector (AV): Network — exploitable remotely without network segmentation bypasses.
  • Attack Complexity (AC): Low — no special conditions or race windows are required.
  • Privileges Required (PR): None — the vulnerable endpoint is reachable without authentication.
  • User Interaction (UI): None — fully automated exploitation.
  • Scope (S): Unchanged — impact remains within the vulnerable component.
  • Confidentiality (C): High — complete data disclosure.
  • Integrity (I): High — arbitrary modification of data or system state.
  • Availability (A): High — system can be rendered unavailable or repurposed by the attacker.

Successful exploitation grants the attacker full control over the Faspex host with the privileges of the application service account.

Exploitation Walkthrough

Ethics caveat: The following description is provided for defensive awareness only. No weaponized exploit code is included, and the obsolete endpoint was removed by the vendor in the patched release.

  1. Reconnaissance — The attacker identifies a Faspex instance running version 4.4.2 PL1 or earlier (e.g., via banner extraction, exposed /aspera/faspex paths, or public asset discovery).
  2. Endpoint probing — The attacker sends benign requests to the obsolete API route to confirm reachability. A valid but minimal YAML payload may be used to verify that the endpoint parses YAML rather than JSON or XML.
  3. Deserialization trigger — The attacker crafts a YAML payload that leverages the underlying parser's object-instantiation capabilities. In typical Ruby-based YAML parsers (common in Faspex's stack), this involves supplying a serialized object with a chosen class and attacker-controlled initialization arguments.
  4. Code execution — The instantiated object executes attacker-supplied logic during initialization or finalization, yielding a shell or reverse connection back to the attacker.

Defenders should treat any Faspex instance older than 4.4.2 PL2 as compromised until proven otherwise if it is internet-facing, given the EPSS score and confirmed in-the-wild exploitation.

Affected and Patched Versions

Status Versions
Affected IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier
Patched IBM Aspera Faspex 4.4.2 Patch Level 2 and later

The vendor removed the obsolete API call entirely in Patch Level 2, eliminating the attack surface rather than adding input validation alone.

Remediation

  1. Upgrade immediately — Apply IBM Aspera Faspex 4.4.2 Patch Level 2 (or the latest available release from IBM's support portal). The obsolete API is removed in this version.
  2. Compensating controls (if upgrade is delayed):
    • Place the Faspex management interface behind a VPN or IP-restricted jump host; do not expose it directly to the internet.
    • Deploy a Web Application Firewall (WAF) rule to block requests to the obsolete API path based on known URL patterns and YAML content-type indicators.
    • Monitor for anomalous YAML payloads in HTTP request bodies.
    • Reduce the service account privileges of the Faspex application to limit post-exploitation lateral movement.

Detection

  • Network signatures — Monitor HTTP POST requests to legacy API paths that carry Content-Type values associated with YAML (application/x-yaml, text/yaml, or text/x-yaml).
  • Host indicators — Unexpected child processes spawned by the Faspex application server (e.g., /bin/sh, powershell.exe, or scripting interpreters) are strong indicators of successful exploitation.
  • File integrity — Review web server and application logs for 200 OK responses to the obsolete endpoint from unexpected source IPs.
  • Threat-intel correlation — Cross-reference source IPs against CISA KEV and EUVD advisories for this CVE.

Assessment

With an EPSS of 0.99968 and confirmed inclusion in the CISA Known Exploited Vulnerabilities catalog since 2023-02-21, this flaw is not theoretical—attackers have been actively abusing it in the wild for over two years. The near-perfect EPSS percentile places it in the top fraction of a percent of all CVEs by probability of exploitation.

Key lessons:

  1. Remove deprecated endpoints — Input validation alone is insufficient; unused or obsolete APIs should be disabled or removed in security patches to shrink the attack surface.
  2. Deserialization is a critical control point — Any endpoint that parses serialized data formats (YAML, JSON, XML, Java serialized objects) must use strictly typed schemas and reject unexpected object types.

References

Frequently asked questions

What is CVE-2022-47986?
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
How severe is CVE-2022-47986?
CVE-2022-47986 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-47986 being actively exploited?
Yes. CVE-2022-47986 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-02-21, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-47986?
CVE-2022-47986 primarily affects Ibm Aspera Faspex. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-47986?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-47986 have an EU (EUVD) identifier?
Yes. CVE-2022-47986 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-50700. It is also flagged as exploited in the EUVD (since 2023-02-21).
When was CVE-2022-47986 published?
CVE-2022-47986 was published on 2023-02-17 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Ibm Aspera Faspex

All CVEs affecting Ibm Aspera Faspex →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →