Critical Dell Storage Bugs Open Door to Remote Attacks

Researchers have found new vulnerabilities in Dell Storage Manager (DSM) that could allow remote attackers to bypass authentication, access sensitive data, or completely compromise enterprise storage systems.

Dell confirmed the flaws affect DSM versions up to 20.1.21 — with severity scores as high as 9.8 (critical) on the CVSS scale.

Tenable researchers stated that CVE-2025-43994 “… could allow the attacker to fill up a disk drive, potentially leading to DoS.”

Inside the Dell storage vulnerabilities

The affected software is deployed in data centers managing Dell Compellent and SC Series storage systems.

If exploited, attackers could gain visibility into an organization’s storage topology and configuration, and potentially into the data itself.

There are no reports of active exploitation as of the date of publication. Still, the low attack complexity and remote access potential make these flaws prime targets once proof-of-concepts (PoCs) circulate.

The most severe of the three vulnerabilities, CVE-2025-43995, originates from an improper authentication mechanism in the DSM Data Collector component.

By exploiting exposed APIs in the ApiProxy.war file, attackers can craft forged SessionKey and UserId values to pose as trusted internal accounts.

Because the attack requires no authentication or user interaction, it provides a direct route to full remote compromise — granting control over impacted systems.

Its CVSS vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflects the potential for complete loss of confidentiality, integrity, and availability.

Here is a breakdown of the CVSS vector for CVE-2025-43995:

• Attack Vector: Network (AV:N): The attack can be launched remotely over a network. The attacker doesn’t need physical or local access.
• Attack Complexity: Low (AC:L): The attack is easy to perform; it doesn’t depend on special conditions or timing.
• Privileges Required: None (PR:N): The attacker doesn’t need any prior credentials or access to exploit it.
• User Interaction: None (UI:N): No user has to click or do anything for the exploit to work.
• Scope: Unchanged (S:U): The impact stays within the vulnerable component, rather than spreading across systems or privileges.
• Confidentiality Impact: High (C:H): Sensitive data could be completely exposed.
• Integrity Impact: High (I:H): The attacker could alter or corrupt system data.
• Availability Impact: High (A:H): The system could be taken offline or rendered unusable.

This means the vulnerability is easy to exploit remotely, requires no login or user action, and can cause total system compromise — exposing data, allowing tampering, and potentially shutting down the affected system entirely.

The additional vulnerabilities discovered were CVE-2025-43994 and CVE-2025-46425.

CVE-2025-43994 results from a missing authentication check, allowing unauthenticated attackers to pull sensitive configuration data or disrupt operations with minimal effort.

Meanwhile, CVE-2025-46425 involves an XML External Entity (XXE) vulnerability that lets low-privilege users read protected files by manipulating XML inputs.

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

Act now to reduce risk

Organizations should patch immediately to version 2020 R1.22 or later, which mitigates all three vulnerabilities.

Even with patches available, layered defense remains important. The following measures can help organizations limit risk and detect potential exploitation early.

• Restrict and isolate management access: Keep DSM consoles on trusted internal networks, require VPN or bastion access, and block external exposure with strict firewall rules.
• Strengthen authentication controls: Enforce least privilege, enable MFA, disable unused accounts, and review logs regularly for unusual API or user activity.
• Enhance monitoring and defenses: Use SIEM or IDS tools to detect suspicious activity, deploy WAFs or proxies to filter malicious traffic, and limit outbound DSM connections.
• Sustain resilience through maintenance: Run regular scans and penetration tests, keep all supporting software updated, and maintain secure offline backups and recovery plans.

Together, these measures can help organizations reduce their attack surface and improve their cyber resilience.

Connectivity expands the attack surface

As organizations expand their digital storage and hybrid environments, management tools like DSM are becoming increasingly attractive targets.

The same connectivity that streamlines administration also broadens the attack surface, exposing once-isolated systems to new risks.

In today’s cloud-connected landscape, every exposed management interface represents a potential breach.

These risks underscore why modern enterprises are turning to zero trust to eliminate implicit trust and enforce strict, continuous verification across all systems.

Editor’s note: This article first appeared on our sister publication, eSecurityPlanet.