● Critical · CVSS 9.8 ⚠ ACTIVELY EXPLOITED — CISA KEV

How to Fix CVE-2022-47986: IBM Aspera Faspex YAML Deserialization RCE

*By Sai Kiran Pandrala*

⚡ At a glance


Severity	CVSS 9.8, Critical
Actively exploited?	Yes, listed in CISA KEV. IceFire ransomware used it against Linux deployments.
Affected	IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier
Fixed in	Aspera Faspex 4.4.2 Patch Level 2, or 5.0.0+ (Faspex 5 is the supported next-gen line)
Type (CWE)	YAML Deserialization (related to CWE-502)

⚠️ Faspex 4 is end-of-life as of mid-2024. If you're still running it, the supported path is to migrate to Faspex 5, or patch to 4.4.2 PL2 as bridge while you plan the migration.

What is CVE-2022-47986?

IBM Aspera Faspex deserializes YAML input on certain API endpoints without proper validation. An unauthenticated remote attacker can submit a crafted YAML payload that causes Faspex to instantiate attacker-controlled Ruby objects, leading to remote code execution as the Faspex service account.

Aspera Faspex is enterprise file-transfer software for large data movement (broadcasting, life sciences, financial data feeds). Compromise typically exposes transfer credentials and any in-flight transfer content. IceFire ransomware affiliates used CVE-2022-47986 specifically to land on Linux-based Faspex deployments in early 2023.

Am I affected?

You are affected if you run IBM Aspera Faspex 4.4.2 Patch Level 1 or earlier. Faspex 4 versions older than 4.4.x have been unsupported for years, same conclusion, same migration urgency.

Check your Faspex version: log into the Faspex admin UI → version shown in the page footer, or check the install path on the Faspex host.

How to fix CVE-2022-47986

If you're on Faspex 4.x (short-term)

Open the IBM security bulletin linked below and download Aspera Faspex 4.4.2 Patch Level 2.
Back up the Faspex database and /opt/aspera/faspex/ configuration directory.
Stop the Faspex service:


   sudo systemctl stop aspera-faspex

Apply the patch following IBM's documented upgrade procedure (typically a .bin installer that detects the existing install).
Restart Faspex and verify the version.

Long-term, migrate to Faspex 5

Faspex 4 reached end of support. Faspex 5 is the current supported product. The migration tooling is documented in IBM's Faspex 5 deployment guide. Plan this migration if you haven't already, the Faspex 4 train will not receive future security updates beyond critical EOL fixes.

If you can't patch immediately

Take Faspex off the public internet until patched. Faspex deployments often face the public internet by design (for partner file-transfer use cases). Restrict to known partner IPs while you patch.
Block the vulnerable API endpoints at any upstream reverse proxy or WAF.
Disable inbound transfer requests from untrusted sources via Faspex's access-control configuration.

How to verify the fix worked

Faspex admin → version shows 4.4.2 PL2 or 5.x.
Run a vulnerability scan against the Faspex URL. CVE-2022-47986 detection should clear.
IoC hunt for IceFire: review the Faspex host file system for unfamiliar Ruby scripts or shell binaries dropped in early 2023. Check for the IceFire ransomware note pattern in user directories.

Frequently asked questions

Is CVE-2022-47986 actively exploited?

Yes. CVE-2022-47986 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2022-47986?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://www.ibm.com/support/pages/security-bulletin-ibm-aspera-faspex-affected-vulnerability-cve-2022-47986

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

Official IBM security bulletin: https://www.ibm.com/support/pages/security-bulletin-ibm-aspera-faspex-affected-vulnerability-cve-2022-47986
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47986
CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from the IBM security bulletin, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against IBM's bulletin before applying changes in production.*

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2022-35914: Security Vulnerability in GLPI — Security Vulnerability in GLPI
How to Fix CVE-2022-40765: Security Vulnerability in MiVoice Connect — Security Vulnerability in MiVoice Connect
How to Fix CVE-2022-1040: Critical Vulnerability in Sophos Firewall , Critical Vulnerability in Sophos Firewall
How to Fix CVE-2022-23134: Improper Access Control in Zabbix Frontend , Improper Access Control in Zabbix Frontend
How to Fix CVE-2022-22536: HTTP Request Smuggling in SAP Content Server, SAP NetWeaver and ABAP Platform, SAP Web Dispatcher , HTTP Request Smuggling in SAP Content Server, SAP NetWeaver and ABAP Platform, SAP Web Dispatcher