Last updated at Tue, 28 Mar 2023 19:42:46 GMT

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On January 26, 2023, IBM published an advisory for multiple security issues affecting its Aspera Faspex software. The most critical of these was CVE-2022-47986, which is a pre-authentication YAML deserialization vulnerability in Ruby on Rails code. The vulnerability carries a CVSS score of 9.8.

Vulnerability details and working proof-of-concept code have been available since February, and there have been multiple reports of exploitation since then, including the vulnerability’s use in the IceFire ransomware campaign. Rapid7 vulnerability researchers published a full analysis of CVE-2022-47986 in AttackerKB in February 2023.

Rapid7 is aware of at least one recent incident where a customer was compromised via CVE-2022-47986. In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur.

According to IBM, affected products include Aspera Faspex 4.4.2 Patch Level 1 and below. CVE-2022-47986 is remediated in 4.4.2 Patch Level 2.

Logfiles can be found in the folder /opt/aspera/faspex/log by default. Entries related to PackageRelayController#relay_package should be considered suspicious. See AttackerKB for additional in-depth technical analysis.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-47986 with an authenticated vulnerability check available as of the February 17, 2023 content release. A remote vulnerability check was released on February 27, 2023. Accuracy improvements to both checks were released March 28, 2023.