Vulnerability in IBM Storage Virtualize allows malicious code execution

The manufacturer is currently warning of two security vulnerabilities in the user interface for IBM Storage Virtualize products. Attackers from the network can infiltrate and execute malicious code.

In a security announcement, IBM explains that malicious actors could bypass authentication and execute arbitrary code. The serious vulnerability allows attackers from the network to bypass RPC adapter endpoint authentication with carefully crafted HTTP requests (CVE-2025-0159, CVSS 9.1, risk"critical").

Vulnerability combination particularly explosive

The second vulnerability, on the other hand, allows attackers from the network with access to the system to execute arbitrary JavaScript code. This is due to insufficient restrictions in the RPC adapter service (CVE-2025-0160, CVSS 8.1, risk"high"). In combination, attackers from the network can therefore bypass authentication in order to execute arbitrary code on vulnerable systems.

IBM emphasizes that the GUI, i.e. the user interface, is affected. The command line version is not vulnerable. The IBM Storage Virtualize versions 8.5.0.x, 8.5.1.0, 8.5.2.x, 8.5.3.x, 8.5.4.0, 8.6.0.x, 8.6.1.0, 8.6.2.x, 8.6.3.0, 8.7.0.x and 8.7.1.0 as well as 8.7.2.x are vulnerable. However, the developers have closed the security gaps in the latest versions 8.5.0.14, 8.6.0.6, 8.7.0.3 and 8.7.2.2; the 8.5.1 to 8.5.4 branches are to migrate to 8.6, the 8.6.1 to 8.6.3 versions to 8.7. IBM also specifically names the appliances affected: IBM FlashSystem 5x00, 7x00, 9x00, IBM Spectrum Virtualize for Public Cloud, IBM Storwize V5000, V5000E, V7000 and SAN Volume Controller.

IBM does not indicate whether the company has any knowledge of whether the vulnerabilities are already under attack. However, due to the severity of the vulnerabilities, IT managers should download and install the available updates as soon as possible.

(dmk)