CVE-2022-47986

CRITICAL KEV RANSOMWARE NUCLEI

IBM Aspera Faspex < 4.4.2 PL2 - Remote Code Execution via YAML Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-47986 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 21, 2023, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including Maurice Lambert, ohnonoyesyes, mauricelambert. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages YAML deserialization in IBM Aspera Faspex to achieve remote code execution (RCE) by sending a crafted POST request with malicious YAML payload. The payload uses Ruby object deserialization to execute arbitrary commands via the `Kernel.eval` method.

Description

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

Exploits (6)

exploitdb WORKING POC
by Maurice Lambert · pythonremotemultiple
https://www.exploit-db.com/exploits/51316

This exploit leverages YAML deserialization in IBM Aspera Faspex to achieve remote code execution (RCE) by sending a crafted POST request with malicious YAML payload. The payload uses Ruby object deserialization to execute arbitrary commands via the `Kernel.eval` method.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IBM Aspera Faspex < 4.4.2
No auth needed
Prerequisites: Network access to the target IBM Aspera Faspex instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by ohnonoyesyes · remote
https://github.com/ohnonoyesyes/CVE-2022-47986

This PoC exploits CVE-2022-47986, a pre-authentication RCE vulnerability in Aspera Faspex. It leverages YAML deserialization to execute arbitrary commands via a crafted payload sent to the `/aspera/faspex/package_relay/relay_package` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Aspera Faspex (versions affected by CVE-2022-47986)
No auth needed
Prerequisites: Network access to the target Aspera Faspex instance · Python 3 with `requests` library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by mauricelambert · remote
https://github.com/mauricelambert/CVE-2022-47986

This repository contains a proof-of-concept exploit for CVE-2022-47986, which leverages YAML deserialization to achieve remote code execution (RCE) in IBM Aspera Faspex versions before 4.4.2. The exploit uses crafted YAML payloads to trigger arbitrary command execution via Ruby's `Kernel.eval` method.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IBM Aspera Faspex < 4.4.2
No auth needed
Prerequisites: Network access to the target IBM Aspera Faspex instance · Target must be running a vulnerable version (< 4.4.2)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by dhina016 · remote
https://github.com/dhina016/CVE-2022-47986

The repository contains only a README.md file with the CVE identifier and no exploit code or technical details. It appears to be a placeholder or incomplete submission.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by Oracle-Security · pythonpoc
https://github.com/Oracle-Security/Weaponized-CVEs/tree/main/CVE-2022-47986.py

The repository contains a functional exploit for CVE-2022-47986, targeting an IBM WebSphere vulnerability. The code includes AJP protocol manipulation for remote code execution (RCE) and is accompanied by weaponized scripts for automation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IBM WebSphere Application Server
No auth needed
Prerequisites: Network access to AJP port (typically 8009) · Vulnerable IBM WebSphere version
devstral-2 · analyzed Feb 27, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/assetnote/exploits

The repository contains a functional exploit for CVE-2022-47986, a pre-authentication remote code execution vulnerability in Aspera Faspex. The exploit leverages YAML deserialization to achieve arbitrary command execution via a crafted payload sent to the `/aspera/faspex/package_relay/relay_package` endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Aspera Faspex
No auth needed
Prerequisites: Network access to the target Aspera Faspex instance
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

IBM Aspera Faspex <=4.4.2 PL1 - Remote Code Execution
CRITICALVERIFIEDby coldfish
Shodan: html:"Aspera Faspex" || cpe:"cpe:2.3:o:linux:linux_kernel"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9997
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-02-21
VulnCheck KEV 2023-02-13
InTheWild.io 2023-02-15
ENISA EUVD EUVD-2022-50700
Ransomware Use Confirmed
CWE
CWE-502
Status published
Products (2)
ibm/aspera_faspex 4.4.2 (2 CPE variants)
ibm/aspera_faspex < 4.4.1
Published Feb 17, 2023
KEV Added Feb 21, 2023
Tracked Since Feb 18, 2026