Dell Technologies has issued a warning to customers after the discovery of critical vulnerabilities in its Storage Manager service.
The three flaws, tracked as CVE-2025-43995, CVE-2025-43994, and CVE-2025-46425, command CVSS scores of 9.8, 8.6, and 6.5, respectively.
All versions of Dell Storage Manager prior to version 20.1.21 are affected by the vulnerabilities, and the company has urged customers to immediately follow remediation steps to avoid potential compromise.
Remediation is available for versions 2020 R1.22 and later, according to the advisory.
“Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability,” the company told customers.
Dell Storage Manager flaws: What you need to know
Ranked as a critical vulnerability, CVE-2025-43995 is an improper authentication flaw in the DSM Data Collector feature for Dell Storage Manager.
In a customer advisory, the company said this could enable an unauthenticated attacker with remote access to bypass protection mechanisms and exploit exposed APIs.
“An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId,” the company said.
The second of the three flaws disclosed, CVE-2025-43994, is a missing authentication for a critical function vulnerability.
This means an unauthenticated attacker could trigger information disclosure, enabling them to steal configuration data, which could allow additional network intrusions.
With a “medium” rating of 6.5, CVE-2025-46425 contains an “improper restriction of XML external entity reference” vulnerability. Dell noted this could allow an attacker with remote access to exploit the flaw to access sensitive files.
What can customers do?
Jamie Akhtar, CEO and Co-founder at CyberSmart, said while there are no signs the flaws have been exploited in the wild, the advisory from Dell should still be a “serious concern” for customers, urging them to act immediately.
“The first step to remain safe is to update to Dell’s newest version immediately which has been released to address these issues,” he said.
“Next, harden access to the management interface and restrict it to trusted networks, enforce multi-factor authentication, and monitor logs for anomalous authentication or API activity.”
Akhtar added that frequent vulnerability scanning alongside adoption of “least privilege” principles are also advised.
“Even if an attacker reaches storage tooling, lateral movement must be made as difficult as possible."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- The unseen risks of cloud storage for businesses
- Why firms ignore vulnerabilities at their own risk
- Patch management vs vulnerability management
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Millions of Dell laptops are are at risk thanks to a Broadcom chip vulnerability – and more than 100 device models are impactedNews Widely used in high-security environments, the PCs are vulnerable to attacks allowing the theft of sensitive data
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Dell brings new cybersecurity features to PowerStore, Data Domain, and PowerScale product linesNews The company is leaning into the disaggregated infrastructure and AI-powered cybersecurity trends with these latest updates
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
