Cybersecurity

On October 24, 2025, Dell Technologies disclosed three critical vulnerabilities in its Storage Manager software. These vulnerabilities may allow attackers to bypass authentication, disclose sensitive information, and gain unauthorized access to systems.

Vulnerability Details

• CVE-2025-43995: This critical vulnerability, with a CVSS score of 9.8, involves improper authentication within the DSM Data Collector component. An unauthenticated attacker with remote access can exploit APIs in the ApiProxy.war file by crafting a special SessionKey and UserId, potentially leading to full system compromise.
• CVE-2025-43994: Scored at 8.6, this vulnerability involves a missing authentication check for a critical function in DSM 20.1.21, enabling remote attackers to trigger information disclosure and disrupt service availability.
• CVE-2025-46425: This vulnerability, with a score of 6.5, affects version 20.1.20 and involves improper restriction of XML external entity references. It allows a remote attacker with low privileges to read sensitive files.

Technical Specifications

Mitigation and Recommendations

Dell advises customers to assess risks using both base and environmental CVSS scores and to implement immediate updates. Affected products include Dell Storage Manager versions prior to 2020 R1.21. Remediation is available in version 2020 R1.22 or later, downloadable from Dell’s support site.

No active exploitation has been reported. However, due to the potential for remote access, prompt action is necessary to prevent security breaches.