CVE-2025-1351 (GCVE-0-2025-1351)
Vulnerability from cvelistv5 – Published: 2025-07-07 16:41 – Updated: 2025-08-24 11:32
VLAI?
Summary
IBM Storage Virtualize 8.5, 8.6, and 8.7 products could allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function.
Severity ?
6.7 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Storage Virtualize |
Affected:
8.5
Affected: 8.6 Affected: 8.7 cpe:2.3:a:ibm:storage_virtualize:8.5.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.5.0.14:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.5.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.5.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.5.2.3:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.5.3.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.5.3.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.5.4.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.6.0.7:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.6.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.6.2.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.6.3.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.7.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.7.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.7.2.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.7.3.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_virtualize:8.7.3.1:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1351",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T03:55:22.034518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:30:31.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:storage_virtualize:8.5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.5.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.5.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.5.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.5.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.5.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.5.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.6.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.6.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.6.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.6.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.7.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.7.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.7.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_virtualize:8.7.3.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Storage Virtualize",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "8.5"
},
{
"status": "affected",
"version": "8.6"
},
{
"status": "affected",
"version": "8.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Storage Virtualize 8.5, 8.6, and 8.7 products \u003c/span\u003ecould allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function."
}
],
"value": "IBM Storage Virtualize 8.5, 8.6, and 8.7 products could allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-24T11:32:40.044Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7237157"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000, V5100 and V5000E, IBM FlashSystem 5000, 5100, 5200 and 5300, IBM FlashSystem 7200 and 7300, IBM FlashSystem 9100, 9200 and 9500 and IBM Storage Virtualize for Public Cloud to the code levels in the following table or higher using the download links for each product below the table.\u003cbr\u003e\u003cbr\u003eAffected Version(s) Fixed Version\u003cbr\u003e8.5.0.0-8.5.0.14 8.5.0.15\u003cbr\u003e8.5.1.0, 8.5.2.0-8.5.2.3, 8.5.3.0-8.5.3.1, 8.5.4.0 8.6.0.8\u003cbr\u003e8.6.0.0-8.6.0.7 8.6.0.8\u003cbr\u003e8.6.1.0, 8.6.2.0-8.6.2.1, 8.6.3.0 8.7.0.5\u003cbr\u003e8.7.0.0-8.7.0.4 8.7.0.5\u003cbr\u003e8.7.1.0, 8.7.2.0-8.7.2.1 8.7.3.0-8.7.3.1 8.7.3.2"
}
],
"value": "IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000, V5100 and V5000E, IBM FlashSystem 5000, 5100, 5200 and 5300, IBM FlashSystem 7200 and 7300, IBM FlashSystem 9100, 9200 and 9500 and IBM Storage Virtualize for Public Cloud to the code levels in the following table or higher using the download links for each product below the table.\n\nAffected Version(s) Fixed Version\n8.5.0.0-8.5.0.14 8.5.0.15\n8.5.1.0, 8.5.2.0-8.5.2.3, 8.5.3.0-8.5.3.1, 8.5.4.0 8.6.0.8\n8.6.0.0-8.6.0.7 8.6.0.8\n8.6.1.0, 8.6.2.0-8.6.2.1, 8.6.3.0 8.7.0.5\n8.7.0.0-8.7.0.4 8.7.0.5\n8.7.1.0, 8.7.2.0-8.7.2.1 8.7.3.0-8.7.3.1 8.7.3.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Storage Virtualize privilege escalation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-1351",
"datePublished": "2025-07-07T16:41:23.342Z",
"dateReserved": "2025-02-15T15:14:08.079Z",
"dateUpdated": "2025-08-24T11:32:40.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-1351\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2025-07-07T17:15:27.693\",\"lastModified\":\"2025-08-14T00:57:24.720\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM Storage Virtualize 8.5, 8.6, and 8.7 products could allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function.\"},{\"lang\":\"es\",\"value\":\"Los productos IBM Storage Virtualize 8.5, 8.6 y 8.7 podr\u00edan permitir que un usuario aumente sus privilegios a los de otro usuario que inicie sesi\u00f3n al mismo tiempo debido a una condici\u00f3n de ejecuci\u00f3n en la funci\u00f3n de inicio de sesi\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:storage_virtualize:8.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E1BFB3D4-E523-43F7-A809-EDBA520EFF06\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:storage_virtualize:8.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"42E2161E-7444-43FE-BA82-DA2103104A5E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:storage_virtualize:8.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9974C055-7EE5-42ED-9998-9A8F1ABBE78E\"}]}]}],\"references\":[{\"url\":\"https://www.ibm.com/support/pages/node/7237157\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1351\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-08T03:55:22.034518Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-11T13:24:56.329Z\"}}], \"cna\": {\"title\": \"IBM Storage Virtualize privilege escalation\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:storage_virtualize:8.5.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.5.0.14:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.5.1.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.5.2.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.5.2.3:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.5.3.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.5.3.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.5.4.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.6.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.6.0.7:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.6.1.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.6.2.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.6.2.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.6.3.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.7.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.7.2.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.7.2.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.7.3.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:storage_virtualize:8.7.3.1:*:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"Storage Virtualize\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.5\"}, {\"status\": \"affected\", \"version\": \"8.6\"}, {\"status\": \"affected\", \"version\": \"8.7\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000, V5100 and V5000E, IBM FlashSystem 5000, 5100, 5200 and 5300, IBM FlashSystem 7200 and 7300, IBM FlashSystem 9100, 9200 and 9500 and IBM Storage Virtualize for Public Cloud to the code levels in the following table or higher using the download links for each product below the table.\\n\\nAffected Version(s) Fixed Version\\n8.5.0.0-8.5.0.14 8.5.0.15\\n8.5.1.0, 8.5.2.0-8.5.2.3, 8.5.3.0-8.5.3.1, 8.5.4.0 8.6.0.8\\n8.6.0.0-8.6.0.7 8.6.0.8\\n8.6.1.0, 8.6.2.0-8.6.2.1, 8.6.3.0 8.7.0.5\\n8.7.0.0-8.7.0.4 8.7.0.5\\n8.7.1.0, 8.7.2.0-8.7.2.1 8.7.3.0-8.7.3.1 8.7.3.2\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000, V5100 and V5000E, IBM FlashSystem 5000, 5100, 5200 and 5300, IBM FlashSystem 7200 and 7300, IBM FlashSystem 9100, 9200 and 9500 and IBM Storage Virtualize for Public Cloud to the code levels in the following table or higher using the download links for each product below the table.\u003cbr\u003e\u003cbr\u003eAffected Version(s) Fixed Version\u003cbr\u003e8.5.0.0-8.5.0.14 8.5.0.15\u003cbr\u003e8.5.1.0, 8.5.2.0-8.5.2.3, 8.5.3.0-8.5.3.1, 8.5.4.0 8.6.0.8\u003cbr\u003e8.6.0.0-8.6.0.7 8.6.0.8\u003cbr\u003e8.6.1.0, 8.6.2.0-8.6.2.1, 8.6.3.0 8.7.0.5\u003cbr\u003e8.7.0.0-8.7.0.4 8.7.0.5\u003cbr\u003e8.7.1.0, 8.7.2.0-8.7.2.1 8.7.3.0-8.7.3.1 8.7.3.2\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7237157\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM Storage Virtualize 8.5, 8.6, and 8.7 products could allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eIBM Storage Virtualize 8.5, 8.6, and 8.7 products \u003c/span\u003ecould allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2025-08-24T11:32:40.044Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-1351\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-24T11:32:40.044Z\", \"dateReserved\": \"2025-02-15T15:14:08.079Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2025-07-07T16:41:23.342Z\", \"assignerShortName\": \"ibm\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…