DSA-2025-393: Security Update for Storage Center - Dell Storage Manager Vulnerabilities
Resumen: Dell Storage Manager remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise of the affected system.
Impacto
Critical
Detalles
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-43995 |
Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes. |
9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2025-43994 | Dell Storage Center - Dell Storage Manager, version(s) DSM 20.1.21, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
| CVE-2025-46425 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-43995 |
Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes. |
9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2025-43994 | Dell Storage Center - Dell Storage Manager, version(s) DSM 20.1.21, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
| CVE-2025-46425 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Corrección y productos afectados
| Product | Affected Versions | Remediated Versions | Link |
| Dell Storage Manager | Versions prior to 2020 R1.21 | Version 2020 R1.22 or later | https://www.dell.com/support/product-details/product/storage-sc2000/drivers |
| Product | Affected Versions | Remediated Versions | Link |
| Dell Storage Manager | Versions prior to 2020 R1.21 | Version 2020 R1.22 or later | https://www.dell.com/support/product-details/product/storage-sc2000/drivers |
Historial de revisiones
| Revision | Date | Description |
| 1.0 | 2025-10-24 | Initial Release |
| 2.0 | 2025-10-24 | Updated the Remediated version to 2020 R1.22 or later |
Reconocimientos
CVE-2025-43994. CVE-2025-43995: Dell would like to thank Tenable for reporting the issue.
CVE-2025-46425: Dell would like to thank Ahmed Y. Elmogy for reporting this issue.