DSA-2025-393: Security Update for Storage Center - Dell Storage Manager Vulnerabilities
Yhteenveto: Dell Storage Manager remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise of the affected system.
Vaikutus
Critical
Tiedot
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-43995 |
Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes. |
9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2025-43994 | Dell Storage Center - Dell Storage Manager, version(s) DSM 20.1.21, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
| CVE-2025-46425 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-43995 |
Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes. |
9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2025-43994 | Dell Storage Center - Dell Storage Manager, version(s) DSM 20.1.21, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
| CVE-2025-46425 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Tuotteet, joihin asia vaikuttaa, ja tilanteen korjaaminen
| Product | Affected Versions | Remediated Versions | Link |
| Dell Storage Manager | Versions prior to 2020 R1.21 | Version 2020 R1.22 or later | https://www.dell.com/support/product-details/product/storage-sc2000/drivers |
| Product | Affected Versions | Remediated Versions | Link |
| Dell Storage Manager | Versions prior to 2020 R1.21 | Version 2020 R1.22 or later | https://www.dell.com/support/product-details/product/storage-sc2000/drivers |
Versiohistoria
| Revision | Date | Description |
| 1.0 | 2025-10-24 | Initial Release |
| 2.0 | 2025-10-24 | Updated the Remediated version to 2020 R1.22 or later |
Kiitokset
CVE-2025-43994. CVE-2025-43995: Dell would like to thank Tenable for reporting the issue.
CVE-2025-46425: Dell would like to thank Ahmed Y. Elmogy for reporting this issue.