CVE-2025-0159

Summary

IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker to bypass RPCAdapter endpoint authentication by sending a specifically crafted HTTP request.

Affected Software

VendorProductVersion RangeStatus
IBMStorage Virtualize8.5.0.0 <= 8.5.0.13affected
IBMStorage Virtualize8.5.1.0affected
IBMStorage Virtualize8.5.2.0 <= 8.5.2.3affected
IBMStorage Virtualize8.5.3.0 <= 8.5.3.1affected
IBMStorage Virtualize8.5.4.0affected
IBMStorage Virtualize8.6.0.0 <= 8.6.0.5affected
IBMStorage Virtualize8.6.1.0affected
IBMStorage Virtualize8.6.2.0 <= 8.6.2.1affected
IBMStorage Virtualize8.6.3.0affected
IBMStorage Virtualize8.7.1.0affected
IBMStorage Virtualize8.7.2.0 <= 8.7.2.1affected

Weaknesses

  • CWE-288: CWE-288 Authentication Bypass Using an Alternate Path or Channel

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References