CVE Vulnerabilities

CVE-2025-0159

Authentication Bypass Using an Alternate Path or Channel

Published: Feb 28, 2025 | Modified: Aug 18, 2025
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker to bypass RPCAdapter endpoint authentication by sending a specifically crafted HTTP request.

Weakness

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

Affected Software

Name Vendor Start Version End Version
Storage_virtualize Ibm 8.5 (including) 8.5.0.14 (excluding)
Storage_virtualize Ibm 8.5.2.0 (including) 8.5.2.3 (including)
Storage_virtualize Ibm 8.6.0.0 (including) 8.6.0.6 (excluding)
Storage_virtualize Ibm 8.7.0.0 (including) 8.7.0.3 (excluding)
Storage_virtualize Ibm 8.5.1.0 (including) 8.5.1.0 (including)
Storage_virtualize Ibm 8.5.3.0 (including) 8.5.3.0 (including)
Storage_virtualize Ibm 8.5.3.1 (including) 8.5.3.1 (including)
Storage_virtualize Ibm 8.5.4.0 (including) 8.5.4.0 (including)
Storage_virtualize Ibm 8.6.1.0 (including) 8.6.1.0 (including)
Storage_virtualize Ibm 8.6.2.0 (including) 8.6.2.0 (including)
Storage_virtualize Ibm 8.6.2.1 (including) 8.6.2.1 (including)
Storage_virtualize Ibm 8.6.3.0 (including) 8.6.3.0 (including)
Storage_virtualize Ibm 8.7.1.0 (including) 8.7.1.0 (including)
Storage_virtualize Ibm 8.7.2.0 (including) 8.7.2.0 (including)
Storage_virtualize Ibm 8.7.2.1 (including) 8.7.2.1 (including)

Potential Mitigations

References