CVE-2022-47986

What is IBM Aspera Faspex?

IBM Aspera Faspex is an enterprise file transfer platform built on IBM's FASP (Fast, Adaptive, and Secure Protocol) technology, which provides high-speed file delivery that outperforms standard HTTP/FTP for large file transfers. Faspex is used by media production companies, financial institutions, government agencies, and research organizations to securely exchange large files and datasets. The platform exposes a web-based interface and REST API for managing file packages, user accounts, and transfer jobs — typically accessible from the internet to support external file exchange workflows. As a platform handling sensitive file transfers, Faspex often contains confidential data and credentials for connected storage systems.

Overview

CVE-2022-47986 is a critical pre-authentication remote code execution vulnerability (CWE-502, CVSS 9.8) in IBM Aspera Faspex. An unauthenticated remote attacker can exploit an insecure YAML deserialization flaw in the Faspex REST API to execute arbitrary code on the underlying server. IBM patched the issue in Faspex 4.4.2 iFix 2 in January 2023. IceFire ransomware was documented exploiting this vulnerability in March 2023 to deploy ransomware on Linux servers. ransomwareUse: true.

Affected Versions

IBM advises customers on Faspex 4.4.x to apply the iFix patch. Customers on older branches should upgrade.

Technical Details

The vulnerability (CWE-502: Deserialization of Untrusted Data) exists in the Aspera Faspex REST API. The API is built using Ruby on Rails and, in the vulnerable code path, uses Ruby's YAML.load() to deserialize user-supplied data received in an API request without authentication.

Ruby's YAML.load() function is notoriously dangerous when processing untrusted input: unlike YAML.safe_load(), it allows instantiation of arbitrary Ruby objects from the YAML input, including objects from classes with dangerous initialization behavior. An attacker can craft a YAML payload using known Ruby deserialization gadget chains that, when processed by YAML.load(), execute OS commands on the server. The REST API endpoint that processes this YAML is accessible without authentication.

The attacker sends a single crafted POST request to the Faspex REST API containing the malicious YAML payload. Upon deserialization, the gadget chain triggers execution of attacker-controlled OS commands with the privileges of the Aspera Faspex web server process.

Discovery

The vulnerability was identified by security researchers and reported to IBM. IBM published the patch and security bulletin in January 2023. Rapid7 published technical analysis in February 2023 confirming active exploitation, which prompted CISA's KEV addition.

Exploitation Context

CVE-2022-47986 attracted attention from ransomware operators specifically because Aspera Faspex is used for high-value file transfers in enterprises:

• IceFire ransomware: Documented by SentinelLabs in March 2023 as specifically targeting Linux servers running Aspera Faspex with this CVE. IceFire is notable for targeting Linux systems (rather than the more common Windows-focused ransomware), making Faspex's Linux deployment a natural target.
• Initial access brokers: The ability to compromise file transfer infrastructure gives attackers access to sensitive files in transit, which is valuable for both data exfiltration and establishing footholds for ransomware campaigns.
• Credential harvesting: Faspex stores credentials for connected storage systems and user authentication — valuable for lateral movement.

The pattern of ransomware groups specifically targeting enterprise file transfer solutions (MOVEit, GoAnywhere, Faspex) reflects a broader trend of targeting data transfer infrastructure to exfiltrate data for double-extortion.

Remediation

1. Apply IBM patch immediately: Upgrade to Aspera Faspex 4.4.2 iFix 2 per IBM Security Bulletin. This is actively exploited — do not delay.
2. Restrict API internet access: Aspera Faspex's management interface and REST API should not be directly internet-accessible without additional authentication controls. Use a VPN or IP allowlist for administrative access.
3. Audit for compromise: If Faspex was internet-accessible before patching, conduct forensic review for evidence of exploitation — check for unexpected processes, new user accounts, modified application files, and unusual outbound network connections.
4. Inspect file transfer logs: Review Faspex transfer logs for unauthorized access to files or packages — attackers may have exfiltrated sensitive files transferred through the system.
5. Rotate Faspex credentials: Change all Faspex user passwords and API keys. If Faspex has access to connected storage (S3, NFS, etc.), rotate those credentials as well.
6. Monitor for ransomware indicators: If IceFire or other ransomware deployment is suspected, check for encrypted files with .ifire extensions and unusual filesystem activity.