IBM has issued a security bulletin disclosing two vulnerabilities affecting the graphical user interface (GUI) of several IBM Storage Virtualize products. These vulnerabilities, tracked as CVE-2025-0159 and CVE-2025-0160, could allow attackers to bypass authentication and execute arbitrary code on affected systems.
CVE-2025-0159 is an authentication bypass vulnerability that could allow a remote attacker to bypass RPCAdapter endpoint authentication by sending a specially crafted HTTP request. This vulnerability has a CVSS base score of 9.1, indicating a critical severity level.
CVE-2025-0160 is an arbitrary code execution vulnerability that could allow a remote attacker with access to the system to execute arbitrary Java code due to improper restrictions in the RPCAdapter service. This vulnerability has a CVSS base score of 8.1, indicating a high severity level.
The following IBM Storage Virtualize products and versions are affected by these vulnerabilities:
- IBM Storage Virtualize, versions 8.5.0.0-8.5.0.13
- IBM Storage Virtualize, versions 8.5.1.0, 8.5.2.0-8.5.2.3, 8.5.3.0-8.5.3.1, 8.5.4.0
- IBM Storage Virtualize, versions 8.6.0.0-8.6.0.5
- IBM Storage Virtualize, versions 8.6.1.0, 8.6.2.0-8.6.2.1, 8.6.3.0
- IBM Storage Virtualize, versions 8.7.0.0-8.7.0.2
- IBM Storage Virtualize, versions 8.7.1.0, 8.7.2.0-8.7.2.1
IBM recommends that users upgrade affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000, V5100 and V5000E, IBM FlashSystem 5000, 5100, 5200 and 5300, IBM FlashSystem 7200 and 7300, IBM FlashSystem 9100, 9200 and 9500 and IBM Storage Virtualize for Public Cloud to the following code levels or higher:
- 8.5.0.0-8.5.0.13: Upgrade to 8.5.0.14
- 8.5.1.0, 8.5.2.0-8.5.2.3, 8.5.3.0-8.5.3.1, 8.5.4.0: Upgrade to 8.6.0.6
- 8.6.0.0-8.6.0.5: Upgrade to 8.6.0.6
- 8.6.1.0, 8.6.2.0-8.6.2.1, 8.6.3.0: Upgrade to 8.7.0.3
- 8.7.0.0-8.7.0.2: Upgrade to 8.7.0.3
- 8.7.1.0, 8.7.2.0-8.7.2.1: Upgrade to 8.7.2.2
Users are urged to apply the necessary updates as soon as possible to mitigate the risk of exploitation.
