How is CVE-2026-8180 exploited?

Network reachability (required): The attacker must reach the asperahttpd service over the network; the component is exposed as an HTTP service and is reachable remotely. Authentication (not-required): No credentials or account of any kind are needed; the attack can be launched by any unauthenticated network client. Victim interaction (not-required): No user action is required; the attacker sends requests directly to the service without any involvement from a logged-in user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

What is the impact of CVE-2026-8180?

Crashes the asperahttpd service, interrupting all HTTP-based file transfer operations handled by that component. Causes a denial of service to all users and systems relying on the affected Aspera endpoint or server for data movement. Availability is fully lost (CVSS A:H) for the affected service; confidentiality and data integrity are not directly impacted by this vulnerability.

Back to search

HIGHCVE-2026-8180Published 2026-05-27Modified 2026-05-28CNA ibm

CVE-2026-8180: Multiple vulnerabilities in Aspera applications.

IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential denial of service in the asperahttpd component. An unauthenticated user can cause the asperahttpd service to crash.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a denial-of-service vulnerability in IBM Aspera High-Speed Transfer Endpoint and High-Speed Transfer Server, affecting versions 3.7.4 through 4.4.7 Fix Pack 1. The flaw is reachable over the network with no authentication required, targeting the asperahttpd component. A successful attack crashes the asperahttpd service, making file transfer functionality unavailable. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-8180 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Aspera components. Any image running an affected version of the High-Speed Transfer Endpoint or High-Speed Transfer Server is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector, and that score is available as an input to each customer's compliance policy weighting. Findings are routed to the appropriate team inbox within each customer organization based on their configured severity thresholds and policy rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment IBM releases a fix. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be initiated automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the asperahttpd service over the network; the component is exposed as an HTTP service and is reachable remotely.
AuthenticationNot required
No credentials or account of any kind are needed; the attack can be launched by any unauthenticated network client.
Victim interactionNot required
No user action is required; the attacker sends requests directly to the service without any involvement from a logged-in user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

Blast Radius

Crashes the asperahttpd service, interrupting all HTTP-based file transfer operations handled by that component.
Causes a denial of service to all users and systems relying on the affected Aspera endpoint or server for data movement.
Availability is fully lost (CVSS A:H) for the affected service; confidentiality and data integrity are not directly impacted by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring for CVE-2026-8180 is active across all customer environments, with images containing affected versions of IBM Aspera High-Speed Transfer Endpoint or Server flagged as soon as a scan runs. Because IBM has not yet published a fix, HarborGuard re-evaluates the advisory on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild will become available, and for customers with auto-remediation enabled, a rebuild and regression run will be triggered and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include applying network policy to restrict access to the asperahttpd port to trusted source addresses only, enabling egress filtering to limit lateral exposure, and evaluating whether the HTTP component can be disabled or isolated via feature flag if it is not required for all transfer workflows.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 2

Affected packages

IBM / Aspera High-Speed Transfer Endpoint
≤ 4.4.7 Fix Pack 1
IBM / Aspera High-Speed Transfer Server
≤ 4.4.7 Fix Pack 1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

ibm.com