CVE-2025-13481
BaseFortify
Publication date: 2025-12-11
Last updated on: 2025-12-15
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | aspera_orchestrator | From 4.0.0 (inc) to 4.1.1 (exc) |
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to severe impacts including unauthorized execution of commands with elevated privileges, which can compromise system confidentiality, integrity, and availability. An attacker with valid credentials could potentially take control of the system, manipulate data, disrupt services, or cause other harmful effects.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in IBM Aspera Orchestrator versions 4.0.0 through 4.1.0, it is strongly recommended to upgrade to version 4.1.1 or later, where the issue has been addressed. [1]
Can you explain this vulnerability to me?
This vulnerability in IBM Aspera Orchestrator versions 4.0.0 through 4.1.0 allows an authenticated user to execute arbitrary commands with elevated privileges on the system. This happens because the software improperly validates user-supplied input, enabling privilege escalation and command execution beyond intended permissions.