Severity
High
Analysis Summary
CVE-2025-0159 CVSS:9.1
IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker to bypass RPCAdapter endpoint authentication by sending a specifically crafted HTTP request.
CVE-2025-0160 CVSS:8.1
IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker with access to the system to execute arbitrary Java code due to improper restrictions in the RPCAdapter service.
Impact
- Gain Access
- Security Bypass
Indicators of Compromise
CVE
CVE-2025-0159
CVE-2025-0160
Affected Vendors
- IBM
Affected Products
- IBM Storage Virtualize 8.5.1.0, 8.5.2.0-8.5.2.3, 8.5.3.0-8.5.3.1, 8.5.4.0
- IBM Storage Virtualize 8.6.1.0, 8.6.2.0-8.6.2.1, 8.6.3.0
- IBM Storage Virtualize 8.7.1.0, 8.7.2.0-8.7.2.1
- IBM Storage Virtualize 8.5.0.0-8.5.0.13
- IBM Storage Virtualize 8.7.0.0-8.7.0.2
- IBM Storage Virtualize 8.6.0.0-8.6.0.5
Remediation
Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information.