"Patch Now: Cybercriminals Set Sights on Critical IBM File Transfer Bug"

There is a critical bug in IBM's popular Aspera Faspex file transfer stack that enables the execution of arbitrary code. This bug is attracting an increasing number of cybercriminals, including ransomware gangs, as organizations fail to patch it. Rapid7 researchers emphasized that the vulnerability is being exploited in the wild months after IBM provided a fix for it, stating that one of its clients was recently compromised by the flaw, tracked as CVE-2022-47986. As a result, researchers noted that immediate action is required. IBM Aspera Faspex is a cloud-based file exchange application that uses the Fast Adaptive and Secure Protocol (FASP) to enable organizations to transfer files at a faster rate than is possible via normal TCP-based connections. According to Enlyft, large organizations such as Red Hat and the University of California use the Aspera service, which is so highly praised that it has received an Emmy. The vulnerability is in Faspex version 4.4.2 Patch Level 1 and carries a CVSS severity rating of 9.8 out of 10. An attacker could remotely deploy their own code on any system running Faspex by sending a carefully crafted obsolete Application Programming Interface (API) call. This article continues to discuss the potential exploitation and impact of the vulnerability with a 9.8 CVSS rating in IBM's widely deployed Aspera Faspex offering. 

Dark Reading reports "Patch Now: Cybercriminals Set Sights on Critical IBM File Transfer Bug"