CVE-2025-36274 in Aspera HTTP Gatewayinfo

Summary

by MITRE • 09/26/2025

IBM Aspera HTTP Gateway 2.0.0 through 2.3.1 stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/26/2025

The vulnerability identified as CVE-2025-36274 affects IBM Aspera HTTP Gateway versions 2.0.0 through 2.3.1, representing a critical weakness in the system's data protection mechanisms. This flaw resides in the gateway's configuration and operational handling of sensitive information, creating an exploitable condition that allows unauthorized access to confidential data. The vulnerability manifests when the system stores authentication credentials, session tokens, or other sensitive parameters in plaintext format within accessible files that do not require authentication for reading. This design oversight fundamentally undermines the security posture of the HTTP gateway, as any individual with access to the system's file structure can retrieve these credentials without requiring valid authentication.

The technical implementation of this vulnerability stems from improper data handling practices within the IBM Aspera HTTP Gateway software, specifically in how it manages sensitive information during runtime operations and configuration file generation. The system fails to implement adequate encryption or access controls for sensitive data storage, allowing clear text information to persist in files that are accessible through standard file system operations. This represents a violation of fundamental security principles and aligns with CWE-312, which addresses the exposure of sensitive information through improper data handling. The flaw enables attackers to gain unauthorized access to authentication credentials, potentially compromising user accounts and system integrity across the entire Aspera ecosystem.

From an operational impact perspective, this vulnerability creates significant risk for organizations utilizing IBM Aspera HTTP Gateway for file transfer and data management services. An unauthenticated attacker can exploit this weakness to obtain valid credentials and potentially escalate privileges within the system, leading to unauthorized access to protected resources and data breaches. The attack surface expands considerably as the vulnerability affects the gateway's core configuration files that may contain administrative credentials, API keys, or other sensitive parameters required for system operation. This weakness directly correlates with ATT&CK technique T1552.001, which covers "Unsecured Credentials" and represents a common vector for privilege escalation and lateral movement within enterprise environments.

Mitigation strategies for CVE-2025-36274 should prioritize immediate implementation of encryption for sensitive data storage and enforcement of access controls on configuration files. Organizations must ensure that all sensitive information stored in the HTTP gateway's file system is encrypted using strong cryptographic algorithms and that appropriate file permissions are enforced to prevent unauthorized access. The recommended approach includes upgrading to IBM Aspera HTTP Gateway version 2.3.2 or later, which contains patches addressing this vulnerability. Security administrators should also implement monitoring procedures to detect unauthorized access attempts to sensitive files and establish regular audits of system configurations to identify potential exposure of sensitive data. Additionally, implementing network segmentation and access controls can reduce the impact of this vulnerability by limiting access to the affected system components and preventing lateral movement within the network infrastructure.

Responsible

Ibm

Reservation

04/15/2025

Disclosure

09/26/2025

Moderation

accepted

CPE

ready

EPSS

0.00193

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!