Dell has warned customers of three critical vulnerabilities in its Storage Manager software that could allow attackers to bypass authentication, access sensitive information, and compromise systems without authorization.
Customers have been urged by the company to follow all remediations steps immediately to prevent potential compromise.
Announced on October 24, 2025, the flaws impact Dell Storage Manager versions up to 20.1.21, highlighting ongoing risks associated with management interfaces in enterprise storage solutions. CVSS scores range from 6.5 to 9.8, underscoring the potential severity of remote exploitation.
Technical Details of the Flaws
The most severe issue, CVE-2025-43995, carries a CVSS base score of 9.8. It resides in the DSM Data Collector component and represents an improper authentication flaw.
Attackers with remote access can exploit exposed APIs in the ApiProxy.war file within DataCollectorEar.ear by crafting a specially formatted SessionKey and UserId. These credentials leverage internal special users in the Compellent Services API, allowing threat actors to bypass security mechanisms entirely.
The potential impact is significant, with full system compromise possible, affecting confidentiality, integrity, and availability.
The second vulnerability, CVE-2025-43994, has a rating of 8.6 and stems from a missing authentication check in a critical function. This flaw also targets DSM 20.1.21 and lets unauthenticated attackers trigger information disclosure and disrupt service availability. The CVSS vector reflects the low complexity and that fact that no privileges are required. These two features make the vulnerability so attractive to opportunistic attackers.
A third issue, CVE-2025-46425, affects version 20.1.20 and involves improper restriction of XML external entity (XXE) references, earning a 6.5 score. While it requires low privileges, a remote actor could potentially exploit this flaw to access sensitive files, leading to unauthorized access without directly impacting integrity or availability. This vulnerability underscores the dangers of processing untrusted XML input in storage management systems.
Mitigation and Vendor Guidance
Dell Technologies strongly urges customers to carefully evaluate risk using both base and environmental CVSS scores and to apply updates immediately.
Affected products include Dell Storage Manager versions prior to 2020 R1.21, with fixes available in version 2020 R1.22 or later via Dell’s support site for Storage SC2000 drivers.
The advisory was revised on the same day to clarify remediation instructions. Credit for discovering CVE-2025-43994 and CVE-2025-43995 goes to Tenable, while independent researcher Ahmed Y. Elmogy identified CVE-2025-46425.
The Bigger Picture
As enterprises today are increasingly reliant on storage management platforms for data center operations, these disclosures serve to highlight the importance of robust authentication controls and continuous vulnerability scanning.
While there are no reports of active exploitation yet, the ease of remote access makes timely patching critical to prevent potential breaches.
