Open Nav
Sign Up

Buhti Ransomware

BUHTI Ransomware

Omer Pinsker

February 16, 2023

On Feb 15, 2023, the OP Innovate incident response team responded to multiple ransom attacks being carried out simultaneously on US companies. Some were perpetrated by a new group named “Buhti”.

The Buhti attack group is actively exploiting CVE-2022-47986 on IBM Aspera Faspex which allows a remote attacker to execute arbitrary code on the target system. This vulnerability is caused by a YAML deserialization flaw. Therefore by sending a specially-crafted obsolete API call, an attacker can exploit this vulnerability to execute arbitrary code on the system.

The vulnerability was discovered by an attack surface management tool (ASM) and reported to IBM in October 2022. In January 2023 IBM informed their customers about the vulnerabilities and released a patch. Cybersecurity companies around the world started publishing exploitation methods (including code examples) for this vulnerability and we assume that the ‘Buhti’ groups used these POCs to launch attacks against organizations around the world. 

We have also seen other reports of this vulnerability being exploited in the wild. There is not much information about the attack group but we assume that they are acting from the Balkan region since Buhti is a delicious Bulgarian dish.

The ransom demand:

Buhti Ransom note

According to OP Innovate’s threat intelligence, many attack groups around the world are discussing this vulnerability. According to our non-intrusive scans, more than 2000 companies located mostly in the United States and the United Kingdom are still exposed to Aspera Faspex vulnerabilities on their servers. 

How to remediate and mitigate:

  • Update Faspex to version 4.4.2 PL2.
  • Avoid externally exposing Faspex servers with versions that are lower than the patched version. 

More POCs will be shared in the future. 

For more information please contact us !

Resources highlights

New Linux Vulnerabilities (CVE-2025-6018 & CVE-2025-6019) Enable Full Root Access in Seconds

Security researchers have uncovered a critical privilege escalation chain in major Linux distributions that allows any local user with a session (SSH or GUI) to…

Read more >

CVE-2025-6018, CVE-2025-6019

Zero to Hero: How Our Red Team Turned a Sticky Note Into Full Cloud Compromise

“The weakest link in your security chain might be sitting right on your desk.” At OP Innovate, our CREST-certified red team is trained to think…

Read more >

OP Innovate Red Team

One-Third of All Grafana Instances Vulnerable to XSS (CVE-2025-4123)

Over 46,000 internet-facing Grafana servers (≈36 % of those online) are still running versions susceptible to CVE-2025-4123, a high-severity open-redirect that chains into stored cross-site…

Read more >

CVE-2025-4123

New Microsoft Outlook Vulnerability Enables Local Code Execution (CVE-2025-47176)

Published: June 11, 2025 Threat Level: High Affected Product: Microsoft Outlook (Microsoft 365 Apps for Enterprise, Office LTSC 2024) CVSS Score: 7.8 (High) A newly…

Read more >

CVE-2025-47176

How MSSPs Are Turning Penetration Testing Into Recurring Revenue with WASP

When OP Innovate first launched WASP in 2022, we weren’t chasing unicorn status or massive VC rounds. We were focused on fixing a real problem:…

Read more >

CVE-2025-49113: Actively Exploited Critical Vulnerability in Roundcube Webmail

Severity: Critical (CVSS 9.9) Status: Active Exploitation Confirmed On June 1, 2025, Roundcube developers issued critical security updates to patch a newly discovered vulnerability in…

Read more >

CVE-2025-49113.
Under Cyber Attack?

Fill out the form and we will contact you immediately.