Unrated severityCISA KEVNVD Advisory· Published Feb 17, 2023· Updated Oct 21, 2025

IBM Aspera Faspex code execution

CVE-2022-47986

Description

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

Affected products

IBM/Aspera Faspexv5
Range: 4.4.2 Patch Level 1 and earlier

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.ibm.com/support/pages/node/6952319mitrevendor-advisory
exchange.xforce.ibmcloud.com/vulnerabilities/243512mitrevdb-entry
packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.075
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.060