CVE-2025-43995

Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dell:storage_manager::::::::
	cpe:2.3:a:dell:storage_manager:2020:r1::::::
	cpe:2.3:a:dell:storage_manager:2020:r1.10::::::
	cpe:2.3:a:dell:storage_manager:2020:r1.2::::::
	cpe:2.3:a:dell:storage_manager:2020:r1.20::::::

History

No history.

Information

Published : 2025-10-24 15:15

Updated : 2025-11-04 14:43

NVD link : CVE-2025-43995

Mitre link : CVE-2025-43995

CVE.ORG link : CVE-2025-43995

JSON object : View

Products Affected

dell

storage_manager

CWE

CWE-287

Improper Authentication

{"id": "CVE-2025-43995", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-10-24T15:15:38.380", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes."}], "lastModified": "2025-11-04T14:43:05.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:storage_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F19B1117-55A1-46EC-A046-BE3B99EC4900", "versionEndExcluding": "2020"}, {"criteria": "cpe:2.3:a:dell:storage_manager:2020:r1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "567442CC-381B-43A1-ADE9-AE00075021D4"}, {"criteria": "cpe:2.3:a:dell:storage_manager:2020:r1.10:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B978EFB1-877F-4091-A401-F1861229E033"}, {"criteria": "cpe:2.3:a:dell:storage_manager:2020:r1.2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "263E78BD-D8C0-480F-9EED-D5496708CFCD"}, {"criteria": "cpe:2.3:a:dell:storage_manager:2020:r1.20:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1055DB85-9105-44E5-9CEB-509C7F7041FE"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}