CVE Alert: CVE-2025-36274 – IBM – Aspera HTTP Gateway

Risk verdict

High risk of unauthenticated network exposure leading to sensitive data disclosure; no explicit exploitation evidence in this record, but the vector is easy to reach and impactful.

Why this matters

Cleartext storage of sensitive data means an attacker can exfiltrate data without credentials, potentially breaching confidentiality obligations and triggering regulatory or contractual penalties. The access could enable mass data theft or leakage of personal or proprietary information, with reputational and operational consequences.

Most likely attack path

No authentication required over the network, enabling automated access to readable files. Pre-conditions are simply a reachable gateway instance; once reachable, an attacker can retrieve stored data with no user interaction or privileges. Scope remains unchanged, and disruption is less about integrity or availability but direct data exposure.

Who is most exposed

Organisations with internet- or DMZ-facing data transfer gateways, especially in enterprises using external file-sharing or partner integrations, are most at risk; cloud or on‑prem deployments with public exposure amplify the likelihood of exploitation.

Detection ideas

• Unauthenticated requests to endpoints returning sensitive files in cleartext
• Sudden spikes in data egress from the gateway
• Access logs showing repeated reads from unknown or external IPs
• Files being downloaded or listed in cleartext through web endpoints
• Anomalous ACL or directory listing indicators

Mitigation and prioritisation

• Patch to version 2.3.2 immediately; upgrade is essential
• Restrict exposure: enforce authentication, use TLS, apply network allowlisting
• Implement WAF rules and monitor for unauthenticated access attempts
• Review and tighten access controls; isolate gateway behind VPN or bastion
• Change-management: plan tests in staging, schedule downtime if needed

Note: If KEV is true or EPSS ≥ 0.5, treat as priority 1.