CVE-2025-0159

CRITICAL

IBM Storage Virtualize Unauthenticated Authentication Bypass via RPCAdapter Endpoint

Title source: llm

Description

IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker to bypass RPCAdapter endpoint authentication by sending a specifically crafted HTTP request.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://www.ibm.com/support/pages/node/7184182

Scores

CVSS v3 9.1

EPSS 0.0080

EPSS Percentile 51.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-306 CWE-288

Status published

Products (12)

ibm/storage_virtualize 8.5.1.0

ibm/storage_virtualize 8.5.3.0

ibm/storage_virtualize 8.5.3.1

ibm/storage_virtualize 8.5.4.0

ibm/storage_virtualize 8.6.1.0

ibm/storage_virtualize 8.6.2.0

ibm/storage_virtualize 8.6.2.1

ibm/storage_virtualize 8.6.3.0

ibm/storage_virtualize 8.7.1.0

ibm/storage_virtualize 8.7.2.0

... and 2 more

Published Feb 28, 2025

Tracked Since Feb 18, 2026