Severity
High
Analysis Summary
CVE-2025-13214 CVSS:7.6
IBM Aspera Orchestrator 4.0.0 through 4.1.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
CVE-2025-13148 CVSS:8.1
IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password.
CVE-2025-13481 CVSS:8.8
IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input.
CVE-2025-13211 CVSS:5.3
IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
Impact
- Denial of Service
- Gain Access
- Data Manipulation
- Privilege Escalation
Indicators of Compromise
CVE
CVE-2025-13214
CVE-2025-13148
CVE-2025-13481
CVE-2025-13211
Affected Vendors
- IBM
Affected Products
- IBM Aspera Orchestrator 4.0.0
- IBM Aspera Orchestrator 4.1.0
Remediation
Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information.