Unrated severityNVD Advisory· Published May 11, 2022· Updated Sep 17, 2024

CVE-2021-38969

Description

IBM Spectrum Virtualize 8.2, 8.3, and 8.4 could allow an attacker to allow unauthorized access due to the reuse of support generated credentials. IBM X-Force ID: 212609.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Spectrum Virtualize 8.2-8.4 allows unauthorized access via reuse of support-generated credentials in the remote support authentication mechanism.

Vulnerability

IBM Spectrum Virtualize versions 8.2, 8.3, and 8.4 contain a vulnerability in the challenge/response authentication mechanism used by IBM remote support [1]. The flaw allows support-generated credentials to be reused on the product's management GUI, bypassing normal authentication controls. Earlier code levels (e.g., 7.8.1) and later code levels (e.g., 8.5.0) are not affected [1].

Exploitation

An attacker with network access to the management GUI can exploit this vulnerability by reusing previously generated support credentials [1]. The attack requires no authentication and has high complexity (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) [1]. The attacker must obtain valid support credentials, possibly through prior compromise or interception, and then present them to the GUI to gain unauthorized access.

Impact

Successful exploitation allows an attacker to gain unauthorized access to the management GUI, resulting in low confidentiality, integrity, and availability impacts [1]. The attacker may view or modify system configuration or cause limited disruption, but the scope remains unchanged (S:U) [1].

Mitigation

IBM has released fixed versions: upgrade to 8.5.0.0, 8.4.0.6, 8.3.1.7, or 8.2.1.15 [1]. No workaround is available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

Security Bulletin: Vulnerability in remote support authentication affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

IBM/Spectrum Virtualizellm-fuzzy2 versions
8.2, 8.3, 8.4+ 1 more
- (no CPE)range: 8.2, 8.3, 8.4
- (no CPE)range: 8.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

exchange.xforce.ibmcloud.com/vulnerabilities/212609mitrevdb-entryx_refsource_XF
www.ibm.com/support/pages/node/6584337mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000