Cyber Resilience

CVE-2023-37398

Medium

Published: 29 January 2025

Published
29 January 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 28.9th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37398 is a medium-severity Weak Password Requirements (CWE-521) vulnerability in Ibm Aspera Faspex. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-7 (Unsuccessful Logon Attempts).

Deeper analysis

CVE-2023-37398 is a vulnerability in IBM Aspera Faspex versions 5.0.0 through 5.0.10, where the software does not enforce strong passwords by default. This weakness, classified under CWE-521 (Weak Password Requirements), enables attackers to more readily compromise user accounts through password guessing or brute-force attempts. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network accessibility with high attack complexity but significant confidentiality impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. The high attack complexity arises from the need to perform repeated authentication attempts against accounts protected only by weak or default passwords. Successful exploitation allows attackers to gain unauthorized access to compromised user accounts, potentially exposing sensitive data transferred via the Faspex platform.

IBM has published an advisory detailing mitigation steps at https://www.ibm.com/support/pages/node/7181814, which security practitioners should consult for patching and configuration recommendations to enforce stronger password policies.

EU & UK References

Vulnerability details

IBM Aspera Faspex 5.0.0 through 5.0.10 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Weak default password policy (CWE-521) directly lowers the bar for successful password guessing and brute-force authentication attempts against network-exposed accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-35907Same product: Ibm Aspera Faspex
CVE-2025-55269Shared CWE-521
CVE-2025-36363Same vendor: Ibm
CVE-2024-51476Same vendor: Ibm
CVE-2026-33771Shared CWE-521
CVE-2025-3356Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2023-38013Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm
CVE-2025-36251Same vendor: Ibm

Affected Assets

ibm
aspera faspex
5.0.0 — 5.0.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates management of authenticators including sufficient strength for passwords and changing defaults prior to use, comprehensively addressing the lack of strong password requirements by default in IBM Aspera Faspex.

preventdetect

Enforces limits on unsuccessful logon attempts and account lockouts, mitigating brute-force exploitation of weak or default passwords.

prevent

Requires establishment and enforcement of secure configuration settings, including those for strong password policies to prevent use of weak defaults.

References