Quantum Issues Critical Patch for StorNext GUI RCE Vulnerabilities (CVE-2025-46616, CVE-2025-46617)
Ddos 
Quantum has issued a critical security advisory warning users of two high-severity vulnerabilities in the StorNext GUI API, affecting a wide range of StorNext products. If exploited together, these vulnerabilities could allow Remote Code Execution (RCE) on vulnerable systems, posing significant risks to enterprise storage environments.
“Two high-severity security vulnerabilities have been identified in the StorNext GUI API… When the two vulnerabilities are combined, StorNext is exposed to potential Remote Code Execution (RCE),” the security advisory warns.
The two critical vulnerabilities are:
- CVE-2025-46616 (CVSS 9.9): This flaw enables unauthorized file uploads, potentially leading to arbitrary remote code execution.
- CVE-2025-46617 (CVSS 7.1): This weakness allows exposure of internal StorNext configuration and unauthorized modification of configuration parameters using undocumented user credentials.
The advisory notes that the following Quantum products are vulnerable if not updated:
- All currently-supported versions (6.3.1+) of Workflow Directors and StorNext RYO prior to 7.2.4
- All versions of ActiveScale Cold Storage (ActiveScale without Cold Storage is not affected)
Administrators can verify exposure by running a simple curl command against the StorNext GUI. If the system returns “Response Code: 200” when queried with specific credentials, the system is vulnerable.
Quantum provides a clear method: “If you receive output that reads, ‘Response Code: 200’, your StorNext is exposed to the security vulnerability.”
Quantum has released a mitigation script (stornext-mitigation.zip) to disable the vulnerable API endpoints and protect affected systems until a full upgrade to StorNext 7.2.4 can be performed. Applying the mitigation is a straightforward process that takes about 30 seconds and involves restarting the StorNext web service.
Administrators should note a side effect: If you are in the process of setting up High Availability (HA) for StorNext, the mitigation must be temporarily disabled to complete the HA configuration, and then reapplied afterward.
Quantum strongly urges administrators to upgrade or apply the provided mitigation patches as soon as possible.
Related Posts:
- CISA Warns of Actively Exploited Linux Kernel and Check Point Gateway Vulnerabilities
- Technical Details Released for Check Point Remote Access VPN 0-Day Flaw
- Quantum Leap: Researchers Achieve Unprecedented Speed and Range in Secure Direct Communication
- Mozilla launches Firefox Quantum for Enterprise