CVE-2025-0160
Published: 28 February 2025
Description
IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker with access to the system to execute arbitrary Java code due to improper restrictions in the RPCAdapter service.
Security Summary
CVE-2025-0160 is a vulnerability in IBM FlashSystem, specifically affecting the IBM Storage Virtualize family across multiple versions, including 8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, and 8.7.2.0 through 8.7.2.1. It arises from improper restrictions in the RPCAdapter service, enabling a remote attacker with access to the system to execute arbitrary Java code. The issue is mapped to CWE-114 and has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability over the network without requiring privileges or user interaction, though exploitation demands high attack complexity. Successful attacks allow arbitrary Java code execution, resulting in high impacts to confidentiality, integrity, and availability on the affected system.
IBM provides details on mitigation and patches in its security bulletin at https://www.ibm.com/support/pages/node/7184182. Security practitioners should consult this advisory for version-specific remediation guidance.
Details
- CWE(s)