IBM has published urgent safety consultations for two weak points of high quality (CVE 2025-0159, CVE-2025-0160), which affect all virtualized memory products, including San, Storwi and Flash Family.
These errors allow the attackers to avoid authentication and to perform any code via the remote control of the graphic user interface (GUI) and present significant risks for corporate storage environments.
Critical authentication type and risk of execution of the code
The weak points focus on the RPCADAPTER service, a component that allows the views of remote procedures in IBM storage systems.
CVE-2025-0159 (CVSS 9.1) Use inadequate authentication mechanisms in the RPCADAPTER final point. The attackers can create harmful http consultations that contain a specially formped off section to completely avoid connection information.
This allows unauthorized access to administrative functions, although there are no tokens or valid certificates. As soon as the opponents authenticated through CVE-2025-0159, you can use CVE 2025-0160 (CVSS 8.1) to perform the arbitrary java code.
The safety sensitivity derives from inappropriate sand containers in the dealialization processes of the RPCADAPTER and allows attackers to load harmful class files through manipulated RPC loads.
This operating chain two allows full commitment to the system, which includes:
Data storage amounts
Ransomware supply in reproduced systems
Harves to recording Information of Assistant Management Interfaces
IBM confirms that the control line interface (CLI) is not influenced because the weaknesses of the graphic interface components are isolated that interact with the RPCADAPTER service.
Interested products and versions
Errors influence almost all IBM storage installations made by the versions. 8.5.0.0 to 8.7.2.1, including:
San
Storwize Series V5000 / V7000
Flash 5 × 00, 7 × 00, 9 00 System models
Virtualized spectrum for the public cloud
A detailed version of the matrix contains risks in different branches of the code:
8.5.X: All versions up to 8.5.0.13, 8/8/1/0, 8.5.2.3, 8.5.3.1 and 8.5.4.0
8.6.x: versions up to 8.6.0.5, 8.6.2.1 and 8.6.3.0
8.7.x: versions up to 8.7.0.2 and 8.2.1
Renewal: patch now
IBM prescribes immediate updates to the fixed code levels:
8.5.0.14 for Report 8.5.0.x
8.6.0.6 for 8.5.1–8.5.4 and 8.6.0.x
8.7.0.3 for 8.6.1–8.6.3 and 8.7.0.x
8.7.2.2 for 8.7.1–8.7.2.1 Installations
In particular, the oldest branches need a migration to support versions such as 8.6.x, which reflects IBM’s change in the direction of long -term support (LTS).
The administrators must download updates through the IBM compressed correction portal. The specific corrections of the platform are available for Flash System 5000/5200/7200/9500 and San.
The absence of vital problems increases the emergency. Although the network segmentation rules and the firewall can theoretically limit the exposure, IBM underlines that the patch remains the only final reduction.
