DSA-2025-393: Security Update for Storage Center - Dell Storage Manager Vulnerabilities
Сводка: Dell Storage Manager remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise of the affected system.
Влияние
Critical
Подробные сведения
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-43995 |
Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes. |
9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2025-43994 | Dell Storage Center - Dell Storage Manager, version(s) DSM 20.1.21, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
| CVE-2025-46425 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-43995 |
Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes. |
9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2025-43994 | Dell Storage Center - Dell Storage Manager, version(s) DSM 20.1.21, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
| CVE-2025-46425 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Затронутые продукты и исправление
| Product | Affected Versions | Remediated Versions | Link |
| Dell Storage Manager | Versions prior to 2020 R1.21 | Version 2020 R1.22 or later | https://www.dell.com/support/product-details/product/storage-sc2000/drivers |
| Product | Affected Versions | Remediated Versions | Link |
| Dell Storage Manager | Versions prior to 2020 R1.21 | Version 2020 R1.22 or later | https://www.dell.com/support/product-details/product/storage-sc2000/drivers |
История изменений
| Revision | Date | Description |
| 1.0 | 2025-10-24 | Initial Release |
| 2.0 | 2025-10-24 | Updated the Remediated version to 2020 R1.22 or later |
Сведения об авторе и авторских правах
CVE-2025-43994. CVE-2025-43995: Dell would like to thank Tenable for reporting the issue.
CVE-2025-46425: Dell would like to thank Ahmed Y. Elmogy for reporting this issue.