CVE-2026-8175 IBM CVE debrief

Who should care

Organizations running IBM Aspera High-Speed Transfer Endpoint or Server for managed file transfer operations; security teams responsible for critical infrastructure protection; compliance officers tracking unauthenticated RCE exposure in data transfer systems

Technical summary

The asperahttpd component in IBM Aspera High-Speed Transfer Endpoint and Server contains a heap-based buffer overflow (CWE-122) in versions 3.7.4 through 4.4.7 Fix Pack 1. The vulnerability is remotely exploitable without authentication or user interaction. Impact ranges from service disruption to complete system compromise via remote code execution. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects maximum impact across confidentiality, integrity, and availability dimensions.

Defensive priority

critical

Recommended defensive actions

• Apply IBM Aspera High-Speed Transfer Endpoint/Server 4.4.7 Fix Pack 1 or later security update per vendor bulletin
• If immediate patching is not feasible, restrict network access to asperahttpd service to trusted administrative hosts only
• Monitor asperahttpd process crashes or unexpected authentication events as potential exploitation indicators
• Review IBM security bulletin for additional configuration-based mitigations
• Validate endpoint and server inventory to identify affected versions 3.7.4 through 4.4.7 Fix Pack 1

Evidence notes

Vulnerability description sourced from NVD official record. CVSS vector confirms network-accessible attack with no authentication barriers. IBM PSIRT reference provides vendor acknowledgment. CPE criteria not yet populated in NVD feed; version range derived from description text.

Official resources