CVE-2025-0159
Published: 28 February 2025
Summary
CVE-2025-0159 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Ibm Storage Virtualize. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the authentication bypass vulnerability by requiring timely identification, reporting, and patching of the flaw in affected IBM Storage Virtualize versions.
Enforces approved authorizations for logical access to system resources, directly countering the RPCAdapter endpoint authentication bypass.
Monitors and controls communications at external boundaries to restrict remote crafted HTTP requests targeting the vulnerable RPCAdapter endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass via crafted HTTP request to public RPCAdapter endpoint directly enables T1190 (Exploit Public-Facing Application).
NVD Description
IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker to bypass RPCAdapter endpoint…
more
authentication by sending a specifically crafted HTTP request.
Deeper analysisAI
CVE-2025-0159 is an authentication bypass vulnerability affecting IBM FlashSystem systems running IBM Storage Virtualize software in versions 8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, and 8.7.2.0 through 8.7.2.1. The flaw, published on 2025-02-28, allows a remote attacker to circumvent RPCAdapter endpoint authentication by sending a specifically crafted HTTP request. It is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function), and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts.
A remote attacker with network access to the affected system, requiring no privileges, user interaction, or special complexity, can exploit this vulnerability by transmitting a tailored HTTP request to the RPCAdapter endpoint. Successful exploitation bypasses authentication controls, potentially granting unauthorized access to sensitive functions or data within the storage virtualization environment. The unchanged scope and high impact on confidentiality and integrity suggest attackers could read or modify protected storage data, though availability remains unaffected.
IBM has issued a security advisory at https://www.ibm.com/support/pages/node/7184182, which provides details on available patches and mitigation steps for resolving the vulnerability in affected IBM FlashSystem and Storage Virtualize deployments. Security practitioners should review the advisory for version-specific fix information and apply updates promptly to affected systems.
Details
- CWE(s)