Cyber Resilience

CVE-2025-0159

Critical

Published: 28 February 2025

Published
28 February 2025
Modified
18 August 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 9.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0159 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Ibm Storage Virtualize. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0159 is an authentication bypass vulnerability affecting IBM FlashSystem systems running IBM Storage Virtualize software in versions 8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, and 8.7.2.0 through 8.7.2.1. The flaw, published on 2025-02-28, allows a remote attacker to circumvent RPCAdapter endpoint authentication by sending a specifically crafted HTTP request. It is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function), and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts.

A remote attacker with network access to the affected system, requiring no privileges, user interaction, or special complexity, can exploit this vulnerability by transmitting a tailored HTTP request to the RPCAdapter endpoint. Successful exploitation bypasses authentication controls, potentially granting unauthorized access to sensitive functions or data within the storage virtualization environment. The unchanged scope and high impact on confidentiality and integrity suggest attackers could read or modify protected storage data, though availability remains unaffected.

IBM has issued a security advisory at https://www.ibm.com/support/pages/node/7184182, which provides details on available patches and mitigation steps for resolving the vulnerability in affected IBM FlashSystem and Storage Virtualize deployments. Security practitioners should review the advisory for version-specific fix information and apply updates promptly to affected systems.

EU & UK References

Vulnerability details

IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker to bypass RPCAdapter endpoint…

more

authentication by sending a specifically crafted HTTP request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass via crafted HTTP request to public RPCAdapter endpoint directly enables T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0160Same product: Ibm Storage Virtualize
CVE-2026-1264Same vendor: Ibm
CVE-2023-49886Same vendor: Ibm
CVE-2024-39750Same vendor: Ibm
CVE-2026-9170Same vendor: Ibm
CVE-2026-8175Same vendor: Ibm
CVE-2026-7876Same vendor: Ibm
CVE-2024-22348Same vendor: Ibm
CVE-2024-41787Same vendor: Ibm
CVE-2025-36365Same vendor: Ibm

Affected Assets

ibm
storage virtualize
8.5.1.0, 8.5.3.0, 8.5.3.1, 8.5.4.0, 8.6.1.0 · 8.5 — 8.5.0.14 · 8.5.2.0 — 8.5.2.3 · 8.6.0.0 — 8.6.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the authentication bypass vulnerability by requiring timely identification, reporting, and patching of the flaw in affected IBM Storage Virtualize versions.

prevent

Enforces approved authorizations for logical access to system resources, directly countering the RPCAdapter endpoint authentication bypass.

prevent

Monitors and controls communications at external boundaries to restrict remote crafted HTTP requests targeting the vulnerable RPCAdapter endpoint.

References