IBM has issued urgent security advisories for two high-severity vulnerabilities (CVE-2025-0159, CVE-2025-0160) affecting its Storage Virtualize product suite, including SAN Volume Controller, Storwize, and FlashSystem families.
These flaws enable attackers to bypass authentication and execute arbitrary code remotely via the graphical user interface (GUI), posing significant risks to enterprise storage environments.
Critical Authentication Bypass and Code Execution Risks
The vulnerabilities center on the RPCAdapter service, a component enabling remote procedure calls in IBM’s storage systems.
CVE-2025-0159 (CVSS 9.1) exploits improper authentication mechanisms in the RPCAdapter endpoint. Attackers can craft malicious HTTP requests containing specially formatted headers to bypass credential checks entirely.
This allows unauthorized access to administrative functions despite lacking valid tokens or certificates. Once authenticated via CVE-2025-0159, adversaries can leverage CVE-2025-0160 (CVSS 8.1) to execute arbitrary Java code.
The vulnerability arises from inadequate sandboxing in the RPCAdapter’s deserialization processes, permitting attackers to load malicious class files through manipulated RPC payloads.
This dual exploit chain enables full system compromise, including:
- Data exfiltration from storage volumes
- Deployment of ransomware across replicated systems
- Credential harvesting from attached management interfaces
IBM confirms the command-line interface (CLI) remains unaffected, as the vulnerabilities are isolated to GUI components interacting with the RPCAdapter service.
Affected Products and Versions
The flaws impact nearly all IBM Storage Virtualize deployments running versions 8.5.0.0 through 8.7.2.1, including:
- SAN Volume Controller
- Storwize V5000/V7000 series
- FlashSystem 5×00, 7×00, 9×00 models
- Spectrum Virtualize for Public Cloud
A detailed version matrix reveals risks across multiple code branches:
- 8.5.x: All versions up to 8.5.0.13, 8.5.1.0, 8.5.2.3, 8.5.3.1, and 8.5.4.0
- 8.6.x: Versions up to 8.6.0.5, 8.6.2.1, and 8.6.3.0
- 8.7.x: Versions up to 8.7.0.2 and 8.7.2.1
Remediation: Patch Now
IBM mandates immediate upgrades to fixed code levels:
- 8.5.0.14 for 8.5.0.x deployments
- 8.6.0.6 for 8.5.1–8.5.4 and 8.6.0.x
- 8.7.0.3 for 8.6.1–8.6.3 and 8.7.0.x
- 8.7.2.2 for 8.7.1–8.7.2.1 installations
Notably, older branches require migration to supported versions like 8.6.x, reflecting IBM’s shift toward Long-Term Support (LTS) releases.
Administrators must download updates via IBM’s Fix Central portal. Platform-specific patches are available for FlashSystem 5000/5200/7200/9500 and SAN Volume Controller nodes.
The absence of viable workarounds heightens the urgency. While network segmentation and firewall rules could theoretically limit exposure, IBM stresses that patching remains the only definitive mitigation.
