Cyber Resilience

CVE-2023-35907

Medium

Published: 29 January 2025

Published
29 January 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 28.9th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35907 is a medium-severity Weak Password Requirements (CWE-521) vulnerability in Ibm Aspera Faspex. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).

Deeper analysis

IBM Aspera Faspex versions 5.0.0 through 5.0.10 are affected by CVE-2023-35907, a vulnerability stemming from the lack of a default requirement for strong passwords (CWE-521). This configuration weakness allows users to set weak passwords, rated with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.

Remote attackers with no privileges can exploit this over the network without user interaction, though it requires high attack complexity, likely involving brute-force attempts or password guessing against weak credentials. Successful exploitation enables compromise of user accounts, granting high-level access to confidential data within the Faspex environment.

IBM's security advisory at https://www.ibm.com/support/pages/node/7181814 provides details on mitigation, recommending enforcement of strong password policies to address the default configuration issue.

EU & UK References

Vulnerability details

IBM Aspera Faspex 5.0.0 through 5.0.10 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Weak default password policy (CWE-521) directly enables remote brute-force/password guessing (T1110/T1110.001) to obtain valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-37398Same product: Ibm Aspera Faspex
CVE-2025-36363Same vendor: Ibm
CVE-2026-5065Same vendor: Ibm
CVE-2025-36376Same vendor: Ibm
CVE-2025-13691Same vendor: Ibm
CVE-2025-55269Shared CWE-521
CVE-2025-3356Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2023-38013Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm

Affected Assets

ibm
aspera faspex
5.0.0 — 5.0.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates ensuring authenticators like passwords have sufficient strength of mechanism and changing defaults, comprehensively addressing the CVE's lack of strong password requirements.

prevent

Requires specifying password requirements and changing default passwords at first logon as part of account management, mitigating the default weak password configuration.

prevent

Limits consecutive unsuccessful logon attempts and enforces account lockouts, preventing brute-force exploitation of weak passwords enabled by the CVE.

References