VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 28, 2025· Updated Feb 26, 2026

IBM FlashSystem authentication bypass

CVE-2025-0159

Description

IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker to bypass RPCAdapter endpoint authentication by sending a specifically crafted HTTP request.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM FlashSystem RPCAdapter endpoint authentication bypass via crafted HTTP request.

Vulnerability

An authentication bypass vulnerability exists in the RPCAdapter endpoint of IBM Storage Virtualize (GUI). Affected versions: 8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, and 8.7.2.0 through 8.7.2.1 [1]. The CLI is unaffected.

Exploitation

An unauthenticated remote attacker can bypass authentication by sending a specifically crafted HTTP request to the RPCAdapter endpoint. No user interaction or privileges are required [1].

Impact

Successful exploitation allows the attacker to bypass authentication, resulting in high confidentiality and integrity impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). Availability is not affected [1].

Mitigation

IBM recommends upgrading to a fixed code level as specified in the security bulletin [1]. No workaround is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. Security Bulletin: Vulnerabilities in the GUI affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.