Multiple Dell Storage Manager vulnerabilities patched, at least one critical
Take action: If you're using Dell Storage Manager, make sure the management interface is isolated from the internet and accessible only from trusted networks. Then plan a quick upgrade to version 2020 R1.22 or later. Not a panic mode patch, but wise to plan it out, updating storage components can be a longer process.
Learn More
Dell Technologies is reporting three critical security vulnerabilities in its Storage Manager software that could allow remote attackers to bypass authentication controls, access sensitive information, and compromise enterprise storage infrastructure.
Vulnerabilities summary:
- CVE-2025-43995 (CVSS score 9.8) - Improper Authentication vulnerability in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for other purposes but are still considered valid on the exposed API.
- CVE-2025-43994 (CVSS score 8.6) - Missing Authentication for Critical Function. It enables unauthenticated remote attackers to extract configuration data, operational details, and sensitive information from storage management systems.
- CVE-2025-46425 (CVSS score 6.5) - Improper Restriction of XML External Entity Reference. This flaw allows the application to parse untrusted XML input without restrictions, enabling attackers to reference external entities and exfiltrate sensitive data such as configuration files, authentication tokens, or other confidential information stored on the system.
Affected versions are Dell Storage Manager versions prior to 2020 R1.21 on Community Edition and Enterprise Edition deployments. Impacted products incldude: Dell Storage SC100, SC120, SC180, SC400, SC420, SC420F, SC460, SC5020, SC5020F, SC7020, SC7020F, SC8000, SC9000, and various SCv Series models including SCv300, SCv320, SCv360, SCv2000, SCv2020, SCv2080, SCv3000, and SCv3020.
Patched versions are available beginning with Dell Storage Manager version 2020 R1.22 or later. Dell Technologies strongly recommends that all customers running affected versions immediately upgrade to the patched release to mitigate the risk of exploitation.
Organizations that cannot immediately upgrade should restrict hardening to the Storage Manager management interface by restricting it to trusted networks only, and make sure the management interface is not exposed to the public internet.
