Critical Dell Storage Manager Flaw (CVE-2025-43995, CVSS 9.8) Allows Unauthenticated API Bypass
Ddos 
Dell Technologies has issued a critical security advisory addressing multiple high-severity vulnerabilities in its Storage Center and Storage Manager (DSM) software, which could allow remote attackers to bypass authentication mechanisms and gain unauthorized access to sensitive management functions.
The most severe flaw, CVE-2025-43995, received a CVSS base score of 9.8, marking it as critical. According to Dell’s advisory, “Dell Storage Center – Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass.”
This vulnerability affects the DSM Data Collector component, which exposes certain APIs through ApiProxy.war in DataCollectorEar.ear. Dell explains that “an unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These UserId are special users created in compellentservicesapi for special purposes.”
In practical terms, this means that a remote attacker could leverage pre-defined session tokens or hardcoded credentials to gain administrative-level access to DSM’s internal API endpoints — effectively bypassing normal authentication controls and interacting with protected storage management functions.
The second vulnerability, CVE-2025-43994 (CVSS 8.6), concerns “Missing Authentication for a Critical Function” in the same DSM version (20.1.21). Dell warns that “an unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.”
This flaw affects key backend operations within Dell Storage Manager’s web management interface, potentially allowing an attacker to query sensitive configuration data or operational metrics without providing valid credentials.
A third, medium-severity flaw — CVE-2025-46425 (CVSS 6.5) — was also disclosed, involving Improper Restriction of XML External Entity (XXE) references in DSM version 20.1.20.
Dell notes that “a low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.”
The vulnerability arises from improper input handling during XML parsing within DSM’s management API, which could allow a malicious user to read arbitrary files or execute server-side requests.
All three vulnerabilities impact Dell Storage Manager versions prior to 2020 R1.21. The company has released version 2020 R1.22 as the remediated build, which addresses the authentication and XXE flaws in full.
Related Posts:
- System frequent reboot/crash, Dell emergency stop BIOS update
- Synology Replication Service Vulnerability Scores Maximum CVSS Rating
- Dell BIOS Flaw Exposes Systems to Secure Boot Bypass and Arbitrary Code Execution
- CVE-2024-10442 (CVSS 10): Zero-Click RCE in Synology DiskStation, PoC Publishes
- CVE-2024-10441 (CVSS 9.8): Synology Patches Critical Code Execution Flaw in Multiple Products
Donate