CVE-2025-0159 and CVE-2025-0160 are two critical vulnerabilities affecting IBM Storage Virtualize products.
While CVE-2025-0159 enables authentication bypass through manipulated HTTP requests to the same endpoint, exploiting improper session token validation, CVE-2025-0160 allows unauthenticated remote Java code execution via the RPCAdapter service due to improper input validation.
CVE-2025-0159: Authentication Bypass
IBM Corp. has provided the following description: IBM FlashSystems could allow a remote attacker to bypass RPCAdapter endpoint authentication by sending a specifically crafted HTTP request.
CVSS 3.1: 9.1 ( Critical)
Affected Products: IBM Storage Virtualize v8.5.1.0, v8.7.1.0, v8.5.0.0-v8.5.0.13, v8.6.1.0, v8.5.4.0, v8.5.3.0-v8.5.3.1, v8.7.2.0-v8.7.2.1, v8.5.2.0-8.5.2.3, v8.6.3.0, v8.6.2.0-v8.6.2.1, v8.6.0.0-v8.6.0.5, v8.7.0.0-v8.7.0.2
Vendor Fix Details: https://www.ibm.com/support/pages/node/7184182
The company strongly recommends applying updates immediately, as both vulnerabilities require no user interaction for exploitation. Administrators should:
- Verify their system’s software version
- Download patches from IBM’s Fix Central portal
- Test updates in staging environments
- Deploy fixes during maintenance windows
CVE-2025-0160: Remote Java Code Execution
IBM Corp. has provided the following description: IBM FlashSystems could allow a remote attacker with access to the system to execute arbitrary Java code due to improper restrictions in the RPCAdapter service.
CVSS 3.1: 8.1 ( High)
Affected Products: v8.5.4.0, v8.5.3.0-v8.5.3.1, v8.6.1.0, v8.6.2.0-v8.6.2.1, v8.5.2.0-8.5.2.3, v8.7.1.0, v8.5.1.0, v8.7.2.0-v8.7.2.1, v8.6.3.0, v8.6.0.0-v8.6.0.5, v8.7.0.0-v8.7.0.2
Vendor Fix Details: https://www.ibm.com/support/pages/node/7184182
Post Comment