CVE-2025-43995
📋 TL;DR
CVE-2025-43995 is an authentication bypass vulnerability in Dell Storage Manager that allows unauthenticated remote attackers to access protected APIs using special session keys and user IDs. This affects Dell Storage Center systems running Dell Storage Manager version 20.1.21, potentially exposing sensitive storage management functions.
💻 Affected Systems
- Dell Storage Center - Dell Storage Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of storage infrastructure, data exfiltration, ransomware deployment, or destruction of storage systems.
Likely Case
Unauthorized access to storage management functions, configuration changes, data access, and potential privilege escalation.
If Mitigated
Limited impact if systems are isolated, patched, or have additional authentication layers.
🎯 Exploit Status
Attack uses known special SessionKey and UserId values to bypass authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version specified in DSA-2025-393
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities
Restart Required: Yes
Instructions:
1. Review Dell advisory DSA-2025-393. 2. Download and apply the security update from Dell Support. 3. Restart affected Dell Storage Manager services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to Dell Storage Manager management interfaces
Use firewall rules to limit access to trusted IP addresses only
API Proxy Restriction
allBlock or restrict access to ApiProxy.war endpoints
Configure web server/application firewall to block /ApiProxy/* paths
🧯 If You Can't Patch
- Isolate Dell Storage Manager systems from untrusted networks
- Implement network segmentation and strict access controls
🔍 How to Verify
Check if Vulnerable:
Check Dell Storage Manager version via web interface or CLI. If version is 20.1.21, system is vulnerable.Check Version:
Check via Dell Storage Manager web interface or consult Dell documentation for version check commands.Verify Fix Applied:
Verify version has been updated beyond 20.1.21 and test authentication requirements for API endpoints.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API access attempts
- Access using special SessionKey/UserId values
- Unusual API calls to DataCollectorEar endpoints
Network Indicators:
- HTTP requests to /ApiProxy/* without authentication headers
- Traffic to Dell Storage Manager ports from unexpected sources
SIEM Query:
source="dell-storage-manager" AND (event_type="api_access" AND auth_status="failed") OR (uri_path="/ApiProxy/*" AND user_agent!="normal-client")