VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 28, 2025· Updated Feb 28, 2025

IBM FlashSystem code execution

CVE-2025-0160

Description

IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker with access to the system to execute arbitrary Java code due to improper restrictions in the RPCAdapter service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote attacker with system access can execute arbitrary Java code via improper restrictions in the RPCAdapter service in IBM Storage Virtualize.

Vulnerability

The vulnerability resides in the RPCAdapter service of IBM Storage Virtualize (IBM FlashSystem) versions 8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1 [1]. Due to improper restrictions in the service, an attacker can execute arbitrary Java code [1].

Exploitation

An attacker requires remote access to the system's management network and can exploit this vulnerability without authentication (CVSS PR:N) [1]. The attack complexity is high (CVSS AC:H), meaning successful exploitation may require specific conditions or multiple attempts. The attacker sends specially crafted HTTP requests to the RPCAdapter endpoint, leveraging the improper restrictions to execute arbitrary Java code [1].

Impact

Successful exploitation allows the attacker to execute arbitrary Java code, leading to full compromise of confidentiality, integrity, and availability (CVSS C:H/I:H/A:H) [1]. The attacker may gain the same privileges as the RPCAdapter service, potentially resulting in complete system compromise.

Mitigation

IBM has released firmware updates to address this vulnerability. Affected users should upgrade to the latest code level for their product as specified in the advisory [1]. For example, for version 8.5.0.x, upgrade to 8.5.0.14 or later; for 8.6.0.x, upgrade to 8.6.0.6 or later. No workarounds are available; the only mitigation is to apply the fix.

References
  1. Security Bulletin: Vulnerabilities in the GUI affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • IBM/Storage Virtualizecpe-rescue
    cpe:2.3:a:ibm:storage_virtualize:8.5.0.0:*:*:*:*:*:*:*
    Range: 8.5.0.0
  • IBM/FlashSystemllm-create
    Range: >=8.5.0.0 <=8.5.0.13, =8.5.1.0, >=8.5.2.0 <=8.5.2.3, >=8.5.3.0 <=8.5.3.1, =8.5.4.0, >=8.6.0.0 <=8.6.0.5, =8.6.1.0, >=8.6.2.0 <=8.6.2.1, =8.6.3.0, >=8.7.0.0 <=8.7.0.2, =8.7.1.0, >=8.7.2.0 <=8.7.2.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.