PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8180 IBM CVE debrief

IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 contain a denial-of-service vulnerability in the asperahttpd component. An unauthenticated remote attacker can trigger a crash of the asperahttpd service. The vulnerability is classified as CWE-476 (NULL Pointer Dereference) and carries a CVSS 3.1 score of 7.5 (HIGH severity) with network attack vector, low attack complexity, and no required privileges or user interaction. The affected products are enterprise file transfer solutions commonly deployed for high-speed data movement. The IBM PSIRT advisory provides patch guidance. No known exploitation in ransomware campaigns has been reported.

Vendor
IBM
Product
Aspera High-Speed Transfer Endpoint
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running IBM Aspera High-Speed Transfer Endpoint or Server versions 3.7.4 through 4.4.7 Fix Pack 1, particularly those with asperahttpd exposed to untrusted networks or the internet. Security teams responsible for file transfer infrastructure and availability of critical data movement services.

Technical summary

The asperahttpd component in IBM Aspera High-Speed Transfer Endpoint and Server fails to handle certain input conditions, resulting in a NULL pointer dereference (CWE-476) that causes service termination. The vulnerability is reachable without authentication over the network, making it suitable for automated exploitation. The crash condition affects availability but does not provide confidentiality or integrity compromise.

Defensive priority

HIGH

Recommended defensive actions

  • Apply IBM Aspera High-Speed Transfer Endpoint or Server patches to version 4.4.7 Fix Pack 2 or later as indicated in the vendor security advisory
  • Restrict network access to asperahttpd service endpoints to authorized hosts only
  • Monitor asperahttpd service logs for unexpected crashes or restart events
  • Implement network segmentation to limit exposure of Aspera transfer services to untrusted networks
  • Review and validate that asperahttpd is not exposed directly to the internet without additional access controls

Evidence notes

Vulnerability description and affected versions derived from NVD record. CVSS vector and CWE classification sourced from NVD weakness data. IBM PSIRT reference confirms vendor acknowledgment. No KEV listing present.

Official resources

2026-05-27