IBM Aspera Faspex 5 5.0.05.0.14.1 UI/API Permission Leak
CVE-2025-36228 Published on December 26, 2025

Incorrect Execution-Assigned Permissions in IBM Aspera Faspex
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-36228 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Incorrect Execution-Assigned Permissions

While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.


Products Associated with CVE-2025-36228

stack.watch emails you whenever new vulnerabilities are published in IBM Aspera Faspex 5 or IBM Aspera Faspex. Just hit a watch button to start following.

IBM Aspera Faspex 5
 
IBM Aspera Faspex
 

Affected Versions

IBM Aspera Faspex 5:

Exploit Probability

EPSS
0.01%
Percentile
1.35%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.