Karl.Fail

Tag: ibm

  • CVE-2025-0159: Authentication Bypass in IBM FlashSystem (Storage Virtualize)

    Overview

    IBM has disclosed a critical vulnerability, CVE-2025-0159, affecting multiple versions of its FlashSystem product line through the IBM Storage Virtualize platform. This flaw is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel and enables unauthenticated attackers to bypass authentication controls at the RPCAdapter endpoint.

    Vulnerability Details

    The issue lies in the handling of HTTP requests at the RPCAdapter endpoint. By sending a specially crafted HTTP request, a remote attacker can bypass authentication mechanisms entirely. This allows unauthorized access to sensitive administrative functions or data without requiring user credentials or prior access.

    The vulnerability impacts multiple versions from the 8.5.0.0 release through 8.7.2.1, including several patch levels across versions 8.5, 8.6, and 8.7. This wide range of affected versions underscores the urgency for enterprise customers using IBM FlashSystem to apply mitigations immediately.

    Technical Breakdown

    According to IBM and CVSS v3.1, the vulnerability is rated as Critical with a base score of 9.1. The CVSS vector is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

    Key characteristics:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

    Impacted Products

    The vulnerability affects the following IBM Storage Virtualize versions:

    • 8.5.0.0 – 8.5.0.13
    • 8.5.1.0
    • 8.5.2.0 – 8.5.2.3
    • 8.5.3.0 – 8.5.3.1
    • 8.5.4.0
    • 8.6.0.0 – 8.6.0.5
    • 8.6.1.0
    • 8.6.2.0 – 8.6.2.1
    • 8.6.3.0
    • 8.7.0.0 – 8.7.0.2
    • 8.7.1.0
    • 8.7.2.0 – 8.7.2.1

    Mitigation and Recommendations

    • IBM strongly recommends upgrading to the latest version of IBM Storage Virtualize that addresses this vulnerability.
    • Restrict network access to affected systems and RPCAdapter endpoints wherever possible.
    • Monitor for unauthorized access attempts or suspicious RPC traffic.

    Conclusion

    CVE-2025-0159 represents a serious security risk for enterprises using IBM FlashSystem solutions. Its network-based, unauthenticated nature means attackers can remotely compromise systems without prior access. Prompt action is essential to protect sensitive storage infrastructure from exploitation.

    For more information, consult IBM’s official security advisory.