CVE-2025-26515
📋 TL;DR
An unauthenticated attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in StorageGRID to change passwords for Grid Manager or Tenant Manager users when Single Sign-on is disabled. This affects StorageGRID versions before 11.8.0.15 and 11.9.0.8 without SSO enabled. The vulnerability allows complete account takeover of administrative users.
💻 Affected Systems
- NetApp StorageGRID (formerly StorageGRID Webscale)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of StorageGRID management infrastructure, allowing attacker to reset all administrative passwords, gain full control over storage systems, and potentially exfiltrate or destroy data.
Likely Case
Attacker gains administrative access to StorageGRID management interface, enabling configuration changes, user management, and potential data access.
If Mitigated
With SSO enabled, the vulnerability is not exploitable, maintaining normal security posture.
🎯 Exploit Status
Exploitation requires SSRF knowledge and understanding of StorageGRID's internal API endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.8.0.15 or 11.9.0.8
Vendor Advisory: https://security.netapp.com/advisory/NTAP-20250910-0002
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download appropriate patch version from NetApp support site. 3. Apply patch following StorageGRID upgrade procedures. 4. Restart affected services. 5. Verify patch installation and functionality.
🔧 Temporary Workarounds
Enable Single Sign-on (SSO)
allEnabling SSO completely mitigates the vulnerability as it prevents the unauthenticated attack vector.
Network Segmentation
allRestrict access to StorageGRID management interfaces to trusted networks only.
🧯 If You Can't Patch
- Enable Single Sign-on (SSO) immediately if not already enabled
- Implement strict network access controls to limit StorageGRID management interface exposure
🔍 How to Verify
Check if Vulnerable:
Check StorageGRID version via admin interface or CLI. If version is below 11.8.0.15 or 11.9.0.8 AND SSO is disabled, system is vulnerable.Check Version:
ssh admin@storagegrid-node 'sudo storagegrid node status' or check via StorageGRID Admin Node web interfaceVerify Fix Applied:
Verify version is 11.8.0.15 or higher (for 11.8.x) or 11.9.0.8 or higher (for 11.9.x) via admin interface or CLI.📡 Detection & Monitoring
Log Indicators:
- Unusual password reset requests
- Failed authentication attempts followed by successful password changes
- SSRF-related error messages in application logs
Network Indicators:
- HTTP requests to internal endpoints from external sources
- Unusual API calls to user management endpoints
SIEM Query:
source="storagegrid" AND (event_type="password_reset" OR event_type="user_modify") AND src_ip NOT IN trusted_networks