Dell Technologies has issued a warning to customers after the discovery of critical vulnerabilities in its Storage Manager service.
The three flaws, tracked as CVE-2025-43995, CVE-2025-43994, and CVE-2025-46425, command CVSS scores of 9.8, 8.6, and 6.5, respectively.
All versions of Dell Storage Manager prior to version 20.1.21 are affected by the vulnerabilities, and the company has urged customers to immediately follow remediation steps to avoid potential compromise.
Remediation is available for versions 2020 R1.22 and later, according to the advisory.
“Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability,” the company told customers.
Dell Storage Manager flaws: What you need to know
Ranked as a critical vulnerability, CVE-2025-43995 is an improper authentication flaw in the DSM Data Collector feature for Dell Storage Manager.
In a customer advisory, the company said this could enable an unauthenticated attacker with remote access to bypass protection mechanisms and exploit exposed APIs.
“An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId,” the company said.
The second of the three flaws disclosed, CVE-2025-43994, is a missing authentication for a critical function vulnerability.
This means an unauthenticated attacker could trigger information disclosure, enabling them to steal configuration data, which could allow additional network intrusions.
With a “medium” rating of 6.5, CVE-2025-46425 contains an “improper restriction of XML external entity reference” vulnerability. Dell noted this could allow an attacker with remote access to exploit the flaw to access sensitive files.
What can customers do?
Jamie Akhtar, CEO and Co-founder at CyberSmart, said while there are no signs the flaws have been exploited in the wild, the advisory from Dell should still be a “serious concern” for customers, urging them to act immediately.
“The first step to remain safe is to update to Dell’s newest version immediately which has been released to address these issues,” he said.
“Next, harden access to the management interface and restrict it to trusted networks, enforce multi-factor authentication, and monitor logs for anomalous authentication or API activity.”
Akhtar added that frequent vulnerability scanning alongside adoption of “least privilege” principles are also advised.
“Even if an attacker reaches storage tooling, lateral movement must be made as difficult as possible."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
US cyber resilience insights
Resilient pharmacy care, safeguarding vital health services
Dell PowerProtect Data Manager
Brace yourselves for a vulnerability explosion, Forescout warns
How to achieve cyber resilience today, tomorrow, and beyond
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromise
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerability
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourself
