Critical Security Flaws Discovered in IBM Storage Virtualize

IBM has issued a warning regarding two significant security vulnerabilities affecting its Storage Virtualize products. These flaws could allow cyber attackers to inject and execute malicious code via the user interface.

According to IBM's security advisory, malicious actors could bypass authentication mechanisms, enabling them to run arbitrary code. The first vulnerability (CVE-2025-0159) has a CVSS score of 9.1, categorizing it as critical. This issue allows attackers to circumvent the RPCAdapter endpoint authentication through meticulously crafted HTTP requests.

The second vulnerability (CVE-2025-0160) is also concerning, as it permits attackers with access to the system to execute arbitrary JavaScript code due to inadequate restrictions in the RPCAdapter service. This vulnerability has a CVSS score of 8.1, marking it as high risk. When exploited in conjunction with the first issue, it enables remote attackers to bypass authentication and execute any code on vulnerable systems.

IBM emphasizes that the vulnerabilities are confined to the graphical user interface (GUI) and do not affect the command-line interface. Vulnerable versions of IBM Storage Virtualize include 8.5.0.x through 8.7.2.x. The most recent updates have been released for versions 8.5.0.14, 8.6.0.6, 8.7.0.3, and 8.7.2.2. IBM recommends that users of versions 8.5.1 to 8.5.4 migrate to version 8.6, while those on versions 8.6.1 to 8.6.3 should upgrade to version 8.7.

Specifically impacted appliances include IBM FlashSystem models 5x00, 7x00, and 9x00, along with IBM Spectrum Virtualize for Public Cloud, IBM Storwize V5000, V5000E, V7000, and SAN Volume Controller.

IBM has not disclosed whether there have been any known exploits of these vulnerabilities. However, given the severity of the issues, it is crucial for IT administrators to promptly download and install the available updates to secure their systems.