Introduction
Unauthorized access to enterprise storage management can lead to data loss, service disruption, and exposure of sensitive business information. Dell Storage Manager is a central platform for managing Dell Storage Center arrays and related products in many enterprise environments. A newly disclosed vulnerability, CVE-2025-43995, allows remote attackers to bypass authentication and gain privileged access to critical storage management APIs. This summary highlights the technical details, affected versions, patch information, and vendor security context for this vulnerability.
Technical Information
CVE-2025-43995 is an improper authentication vulnerability in Dell Storage Manager version 20.1.21. The flaw resides in the Data Collector component, specifically in the APIs exposed by ApiProxy.war within DataCollectorEar.ear. Attackers can exploit this by sending HTTP requests containing special SessionKey and UserId values. These values correspond to service accounts created in the compellentservicesapi for internal operations. Due to insufficient validation, the system accepts these credentials from unauthenticated sources, granting access to sensitive management APIs. This enables attackers to perform privileged actions on all storage arrays managed by the affected instance. The vulnerability is rooted in inadequate credential validation for these internal service accounts, which should not be externally accessible.
Patch Information
To address the identified vulnerabilities in Dell Storage Manager (DSM), Dell has released version 20.1.21. This update specifically mitigates the following issues:
- CVE-2025-43995: An Improper Authentication vulnerability that could allow unauthenticated remote attackers to bypass protection mechanisms.
- CVE-2025-43994: A Missing Authentication for Critical Function vulnerability, potentially leading to information disclosure.
- CVE-2025-46425: An Improper Restriction of XML External Entity Reference vulnerability, which could result in unauthorized access.
Recommended Action:
Users are strongly advised to upgrade to DSM version 20.1.21 or later to ensure these vulnerabilities are effectively addressed.
Upgrade Steps:
- Backup Data: Before initiating the upgrade, ensure all critical data is backed up to prevent potential data loss.
- Download Update: Access the Dell Support website to download the latest DSM version.
- Install Update: Follow the provided installation instructions to apply the update.
- Verify Installation: After installation, confirm that the DSM version is updated to 20.1.21 or later.
By promptly applying this update, users can safeguard their systems against potential exploits targeting these vulnerabilities.
Patch source: Dell Security Advisory DSA-2025-393
Affected Systems and Versions
CVE-2025-43995 specifically affects Dell Storage Center - Dell Storage Manager version 20.1.21. Only this version is confirmed as vulnerable. The vulnerability is present in configurations where the Data Collector is deployed and exposes the ApiProxy.war interface. No other versions or products are listed as affected in the available advisories.
Vendor Security History
Dell Storage Manager has a documented history of authentication-related vulnerabilities. Previous issues include CVE-2024-38298 (authentication bypass), CVE-2025-43994 (missing authentication for critical function), and CVE-2025-46425 (improper restriction of XML external entity reference). Dell typically issues coordinated advisories and patches in response, but the recurrence of similar flaws suggests ongoing challenges in securing authentication mechanisms within this product line.
