CVE-2022-47986 Critical Patch Available

CVE-2022-47986: IBM Aspera Faspex — YAML Deserialization RCE

Vuln Brief Research Team · · CVSS 9.8

CVE Details

CVE ID CVE-2022-47986
CVSS Score 9.8
Severity Critical
Vendor IBM
Product Aspera Faspex
Patch Status Available
Published March 10, 2026

Background

IBM Aspera Faspex is an enterprise file transfer platform built on IBM’s proprietary FASP protocol, which provides high-speed large file transfer capabilities. It is deployed by media companies, financial services firms, and other enterprises for bulk content and data transfer. Faspex provides a web interface and API for managing transfers, packages, and recipients.

CVE-2022-47986 is a YAML deserialization vulnerability in IBM Aspera Faspex’s API endpoint. Disclosed in February 2023 (despite the 2022 CVE ID), it carries a CVSS score of 9.8 and was immediately exploited by ransomware groups. The vulnerability allows unauthenticated attackers to achieve remote code execution by sending a malicious YAML payload to an API endpoint that deserialises user-supplied content without sanitisation.

Technical Mechanism

CVE-2022-47986 is an insecure deserialisation vulnerability (CWE-502) in IBM Aspera Faspex’s Ruby on Rails-based API. The application uses Ruby’s YAML library to deserialise data submitted to an API endpoint.

Ruby’s YAML library (Psych) supports multiple YAML tags, including the !ruby/object family of tags that allow arbitrary Ruby object instantiation during deserialisation. When user-supplied YAML content is deserialised without restricting permitted classes, an attacker can supply a YAML payload that instantiates a gadget chain — a sequence of Ruby objects that, when constructed and their methods called during deserialisation, execute arbitrary code:

# Malicious YAML payload (conceptual gadget chain)
--- !ruby/object:Gem::Requirement
requirements:
  - !ruby/object:Gem::Package::TarReader
    io: !ruby/object:Net::BufferedIO
      io: !ruby/object:Gem::Package::TarReader::Entry
        read: 0
        header: "abc"
      debug_output: !ruby/object:Net::WriteAdapter
        socket: !ruby/object:Gem::RequestSet
          sets: !ruby/object:Net::WriteAdapter
            socket: !ruby/object:PrettyPrint
              output: !ruby/object:IO
                fd: 1
              bufsize: "id|sh"
          git_hooks:

The key Ruby gadget chains involve:

  • Gem::Package::TarReader + Net::BufferedIO: Creates an object that executes system commands when specific methods are called during object construction
  • Kernel.open() with | prefix: In Ruby, open("|command") executes a shell command

The vulnerable API endpoint accepts YAML data for package creation or other Faspex operations. Sending a POST request with a malicious YAML body triggers deserialisation and executes the embedded payload:

POST /aspera/faspex/login HTTP/1.1
Host: faspex.target.com
Content-Type: application/x-yaml

--- !ruby/object:Gem::Requirement
[...gadget chain...]

The vulnerability does not require authentication — the deserialisation happens before authentication checks in the affected code path, making it a pre-authentication RCE.

Real-World Exploitation Evidence

Ransomware groups moved rapidly to exploit CVE-2022-47986 after researchers published proof-of-concept code:

  • IceFire ransomware: Documented exploitation for initial access on Linux servers, deploying IceFire ransomware. This was notable as Linux ransomware was relatively uncommon at the time, and IceFire leveraged Aspera Faspex as a Linux server-targeting vector.
  • Buhti ransomware: A separate group used CVE-2022-47986 for initial access in ransomware campaigns targeting media and entertainment sector organisations.
  • Rapid exploitation timeline: Security researchers noted that exploitation began within days of the February 2023 public advisory, consistent with threat actors monitoring CVE disclosures and quickly operationalising exploits.

Impact Assessment

  • Unauthenticated code execution: No credentials needed; any attacker with HTTP access to the Faspex API can exploit the vulnerability.
  • Ruby/Rails process context: Code executes in the context of the Faspex application server process, which has access to all transferred files and metadata.
  • Sensitive file access: Faspex is used for large-volume file transfers; the server stores or has access to all transferred content.
  • Database access: Application server context typically includes database credentials; the Faspex database contains transfer metadata, user credentials, and configuration.
  • Lateral movement: Enterprises using Faspex often have it integrated with Active Directory and file storage systems, providing additional pivot points.

Affected Versions

ProductAffected VersionsFixed Version
IBM Aspera Faspex4.4.2 Patch Level 1 and earlier4.4.2 Patch Level 2+

IBM released patch level 2 in January 2023. The vulnerability was disclosed publicly in February 2023 after the patch was available.

Remediation Steps

  1. Apply IBM Aspera Faspex 4.4.2 Patch Level 2: Download from IBM Fix Central. This is the only complete remediation.

  2. Network access restriction: Restrict access to the Faspex web interface and API to known source IP ranges. Faspex should not be directly internet-accessible without strong perimeter controls:

    # Nginx/Apache: Restrict /aspera/faspex/ to allowed IPs
location /aspera/faspex/ {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;
}

  3. WAF rules: Deploy WAF rules blocking YAML content type bodies with Ruby object tags:

    Block: Content-Type: application/x-yaml WITH body containing "!ruby/object:"

  4. Log review: Check Faspex application logs for POST requests to API endpoints from unexpected source IPs. Look for:

    • Unusual process spawning from the Faspex Ruby process
    • Unexpected outbound connections from the Faspex server

  5. Rotate credentials: If exploitation is suspected, rotate Faspex admin credentials, database passwords, and any API tokens stored in the application.

Detection Guidance

Log sources:

  • Faspex application logs: /opt/aspera/faspex/log/ (default Linux path)
  • Web server access logs for the Faspex virtual host
  • OS process audit logs (auditd on Linux)

Detection patterns:

# Check for YAML deserialization in access logs
grep "ruby/object" /opt/aspera/faspex/log/production.log

# Monitor for unexpected process execution from Ruby
auditctl -w /bin/sh -p x -k ruby_exec
ausearch -k ruby_exec | grep ppid=$(pgrep ruby)

Indicators of Compromise:

  • Unexpected outbound network connections from the Faspex server
  • New files in the Faspex web directory not matching installed package
  • Modified cron jobs or system services on the Faspex host
  • POST requests to API endpoints containing !ruby/object: in body

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"IBM Aspera Faspex CVE-2022-47986 YAML Deserialization"; flow:established,to_server; http.request_body; content:"!ruby/object:"; sid:9002298; rev:1;)

Timeline

DateEvent
January 2023IBM releases Faspex 4.4.2 Patch Level 2 (fixing the vulnerability)
February 2, 2023CVE-2022-47986 publicly disclosed
February 2, 2023CISA adds CVE-2022-47986 to KEV catalogue
February 2023Ransomware groups begin exploitation
March 2023IceFire ransomware campaign documented using CVE-2022-47986

Tags

ibmasperafaspexyaml-deserializationrcefile-transfercisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco