CVE-2025-0159

CVE-2025-0159 is an authentication bypass vulnerability affecting IBM FlashSystem systems running IBM Storage Virtualize software in versions 8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, and 8.7.2.0 through 8.7.2.1. The flaw, published on 2025-02-28, allows a remote attacker to circumvent RPCAdapter endpoint authentication by sending a specifically crafted HTTP request. It is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function), and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts.

A remote attacker with network access to the affected system, requiring no privileges, user interaction, or special complexity, can exploit this vulnerability by transmitting a tailored HTTP request to the RPCAdapter endpoint. Successful exploitation bypasses authentication controls, potentially granting unauthorized access to sensitive functions or data within the storage virtualization environment. The unchanged scope and high impact on confidentiality and integrity suggest attackers could read or modify protected storage data, though availability remains unaffected.

IBM has issued a security advisory at https://www.ibm.com/support/pages/node/7184182, which provides details on available patches and mitigation steps for resolving the vulnerability in affected IBM FlashSystem and Storage Virtualize deployments. Security practitioners should review the advisory for version-specific fix information and apply updates promptly to affected systems.