Remote Java Code Exec via RPCAdapter in IBM FlashSystem Storage Virtualize
CVE-2025-0160 Published on February 28, 2025
IBM FlashSystem code execution
IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker with access to the system to execute arbitrary Java code due to improper restrictions in the RPCAdapter service.
Vulnerability Analysis
CVE-2025-0160 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Process Control
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker. Process control vulnerabilities take two forms: 1. An attacker can change the command that the program executes: the attacker explicitly controls what the command is. 2. An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Products Associated with CVE-2025-0160
Want to know whenever a new CVE is published for IBM Storage Virtualize? stack.watch will email you.
Affected Versions
IBM Storage Virtualize:- Version 8.5.0.0, <= 8.5.0.13 is affected.
- Version 8.5.1.0 is affected.
- Version 8.5.2.0, <= 8.5.2.3 is affected.
- Version 8.5.3.0, <= 8.5.3.1 is affected.
- Version 8.5.4.0 is affected.
- Version 8.6.0.0, <= 8.6.0.5 is affected.
- Version 8.6.1.0 is affected.
- Version 8.6.2.0, <= 8.6.2.1 is affected.
- Version 8.6.3.0 is affected.
- Version 8.7.1.0 is affected.
- Version 8.7.2.0, <= 8.7.2.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.