Authentication Bypass Vulnerability in IBM FlashSystem Products
CVE-2025-0159

9.1CRITICAL

Key Information:

Vendor
IBM
Vendor
CVE Published:
28 February 2025

What is CVE-2025-0159?

CVE-2025-0159 is a vulnerability found in IBM FlashSystem products designed for high-performance storage solutions. This critical flaw enables remote attackers to bypass authentication measures of the RPCAdapter endpoint by crafting specific HTTP requests. Such an exploitation could lead to unauthorized access and control over the storage systems, posing severe risks to organizations that rely on these products for data management and security.

Technical Details

The vulnerability affects various versions of IBM FlashSystem software, including multiple releases from 8.5.0.0 through to 8.7.2.1. The issue arises from improper authentication mechanisms, allowing attackers to gain entry without valid credentials. Successful exploitation requires the attacker to send carefully formulated HTTP requests to the affected systems, potentially compromising the integrity of data and services provided by the storage solution.

Potential impact of CVE-2025-0159

  1. Unauthorized Access: The primary risk is that attackers can gain unauthorized access to storage systems, leading to data manipulation or theft that could affect business operations.

  2. Data Integrity Compromise: With access to storage, attackers could alter, delete, or corrupt critical data, severely impacting an organization’s ability to operate effectively and maintain trust with stakeholders.

  3. Operational Disruption: The exploitation of this vulnerability could disrupt service availability, impacting productivity and possibly leading to significant financial losses and reputational damage for affected businesses.

Affected Version(s)

Storage Virtualize 8.5.0.0 <= 8.5.0.13

Storage Virtualize 8.5.1.0

Storage Virtualize 8.5.2.0 <= 8.5.2.3

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.