A vulnerability in IBM Aspera Faspex servers is being actively exploited by ransomware criminals, researchers warn.

Hackers are exploiting a critical vulnerability in an IBM file-exchange application. According to security researchers, the criminals are using the flaw to install ransomware on servers.

The target of these threat actors is the IBM Aspera Faspex server platform. Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds.

Aspera uses IBM’s proprietary FASP, which stands for “Fast, Adaptive, and Secure Protocol”. The protocol is designed to utilize available network bandwidth better. The product also provides “fine-grained management” that allows users to send files to a list of recipients in distribution lists, shared inboxes or workgroups. This gives file transfers a workflow that’s similar to email.


On January 26, 2023, IBM published an advisory for multiple security issues affecting its Aspera Faspex software. The most critical of these was CVE-2022-47986, which is a pre-authentication YAML deserialization vulnerability in Ruby on Rails code. The vulnerability carries a CVSS (Common Vulnerability Scoring System) score of 9.8 out of 10.

On Tuesday, researchers from security firm Rapid7 published a blog post describing one recent incident where one of their customers was compromised via CVE-2022-47986.

Vulnerability details and working proof-of-concept have been available since February, according to Rapid7. They add that there have been multiple reports of exploitation since then, including the vulnerability’s use in the IceFire ransomware campaign. Rapid7 vulnerability researchers published a full analysis of CVE-2022-47986 in AttackerKB in February 2023.

“In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur”, they wrote.

According to IBM, affected products include Aspera Faspex 4.4.2 Patch Level 1 and below. CVE-2022-47986 is remediated in 4.4.2 Patch Level 2.