CVE-2025-64650
📋 TL;DR
IBM Storage Defender - Resiliency Service versions 2.0.0 through 2.0.18 write sensitive user credentials to log files. This allows attackers with access to log files to obtain authentication credentials, potentially compromising the storage management system. Organizations using affected versions are vulnerable.
💻 Affected Systems
- IBM Storage Defender - Resiliency Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials, gain full control of the storage management system, and potentially access or manipulate sensitive storage infrastructure and data.
Likely Case
Attackers with log file access (e.g., through other vulnerabilities or misconfigurations) harvest credentials and use them for unauthorized access to the storage management interface.
If Mitigated
With proper log file permissions and access controls, credential exposure is limited to authorized administrators only.
🎯 Exploit Status
Exploitation requires access to log files, which typically requires some level of system access or other vulnerabilities. Once log access is obtained, credential extraction is trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.19 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7253864
Restart Required: Yes
Instructions:
1. Download IBM Storage Defender - Resiliency Service version 2.0.19 or later from IBM Fix Central. 2. Follow IBM's upgrade documentation for your deployment type. 3. Restart the Resiliency Service after installation.
🔧 Temporary Workarounds
Restrict log file access
linuxSet strict file permissions on log directories to prevent unauthorized access
chmod 600 /var/log/ibm-storage-defender/*.log
chown root:root /var/log/ibm-storage-defender/*.log
Disable debug logging
allReduce logging verbosity to minimize credential exposure in logs
Edit configuration to set log level to WARN or ERROR instead of DEBUG/INFO
🧯 If You Can't Patch
- Implement strict access controls on log directories and files
- Regularly monitor and audit log file access patterns
🔍 How to Verify
Check if Vulnerable:
Check the installed version of IBM Storage Defender - Resiliency Service. If version is between 2.0.0 and 2.0.18 inclusive, the system is vulnerable.Check Version:
ibm-storage-defender-resiliency --version or check the web interface administration panelVerify Fix Applied:
After patching, verify the version is 2.0.19 or later and check that credentials no longer appear in log files during normal operations.📡 Detection & Monitoring
Log Indicators:
- Plaintext passwords or authentication tokens in log files
- Sensitive credential strings in application logs
Network Indicators:
- Unauthorized access attempts using credentials found in logs
SIEM Query:
source="ibm-storage-defender" AND ("password" OR "token" OR "credential") AND log_level="DEBUG" OR log_level="INFO"