CVE-2025-0162

High

Published: 07 March 2025

Published

07 March 2025

Modified

13 March 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

EPSS Score 0.0008 23.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Security Summary

CVE-2025-0162 is an XML external entity injection (XXE) vulnerability, mapped to CWE-611, affecting IBM Aspera Shares versions 1.9.9 through 1.10.0 PL7. The issue arises when the software processes XML data, potentially allowing improper handling of external entities.

A remote authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation could enable the attacker to disclose sensitive information (C:H) or consume memory resources (A:L), with no integrity impact (I:N) and unchanged scope (S:U). The CVSS v3.1 base score is 7.1.

IBM's security advisory provides details on mitigation and patching; see https://www.ibm.com/support/pages/node/7185096.

Details

CWE(s): CWE-611

Affected Products

ibm

aspera shares

1.10.0 · 1.9.9 — 1.10.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

attack.mitre.org →

Why these techniques?

XXE vulnerability in public-facing web application directly enables exploitation via T1190 and facilitates local file reading for sensitive data disclosure via T1005.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.ibm.com/support/pages/node/7185096
Vendor Advisory · psirt@us.ibm.com