Dell Technologies has disclosed three critical vulnerabilities affecting Dell Storage Manager that could allow unauthenticated remote attackers to completely compromise storage systems.
Dell Storage Manager versions prior to 2020 R1.21 are vulnerable to attacks that bypass authentication mechanisms entirely, enabling adversaries to gain full system access without valid credentials.
The vulnerabilities, disclosed on October 24, 2025, pose an immediate threat to organizations relying on Dell Storage Center infrastructure.
The most severe vulnerability, CVE-2025-43995, carries a critical CVSS base score of 9.8, representing a network-exploitable vulnerability with no prerequisites for exploitation.
This improper authentication vulnerability exists in Dell Storage Manager version 20.1.21 and allows unauthenticated attackers to bypass protection mechanisms through the DataCollectorEar.ear component.
Specifically, the vulnerability exploits APIs exposed by ApiProxy.war, which can be accessed using specially crafted SessionKey and UserId parameters.
Dell’s security advisory reveals that these credentials correspond to special service accounts created within compellentservicesapi for administrative purposes.
An attacker exploiting this vulnerability gains unrestricted access to storage management functions, potentially exposing sensitive data, modifying configurations, or disrupting critical storage operations.
The second critical vulnerability, CVE-2025-43994, also deserves immediate attention with a CVSS score of 8.6.
This missing authentication vulnerability affects Dell Storage Manager version 20.1.21 and allows unauthenticated remote attackers to access critical functions that should require authentication.
The vulnerability leads to information disclosure, meaning attackers can retrieve sensitive data about storage configurations, user accounts, and system topology without providing valid credentials.
The combination of these two authentication-related vulnerabilities creates a particularly dangerous scenario where attackers can both discover and exploit system components.
XML Entity Reference Vulnerability
Complementing these authentication bypasses, CVE-2025-46425 presents an XML external entity (XXE) vulnerability with a CVSS score of 6.5. This vulnerability affects Dell Storage Manager version 20.1.20 and requires low-level privileges but could be leveraged in a multi-stage attack.
The improper restriction of XML external entity references allows attackers to conduct unauthorized access attacks, potentially reading sensitive files from the storage system or performing lateral movement within the infrastructure.
While this vulnerability requires some level of authentication, it becomes trivial to exploit once attackers bypass the authentication vulnerabilities in the same software.
Dell Technologies strongly recommends that all customers upgrade to Dell Storage Manager version 2020 R1.22 or later to remediate these vulnerabilities.
The remediation addresses all three CVEs and should be prioritized immediately given the critical nature of these vulnerabilities.
Organizations running Dell Storage Manager should assess their current versions against the affected product list and apply updates without delay.
The attack surface is particularly concerning because these vulnerabilities enable remote exploitation from the network without user interaction, making them highly attractive to threat actors targeting enterprise storage infrastructure.
Attribution and Timeline
Dell credited security researchers from Tenable for identifying CVE-2025-43995 and CVE-2025-43994, while independent researcher Ahmed Y.
Elmogy discovered CVE-2025-46425. The vulnerabilities underwent revision on the same day as their initial disclosure, with Dell updating the remediation guidance to version 2020 R1.22 or later.
Security teams should review their Dell Storage Manager deployments immediately and plan patching activities to eliminate the critical authentication bypass risks before adversaries develop exploitation tools.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
