Spectrum Protect Server
Monthly
CVE-2025-3319 is an authentication bypass vulnerability in IBM Spectrum Protect Server versions 8.1 through 8.1.26 caused by improper session authentication mechanisms. This flaw allows unauthenticated network attackers to bypass authentication and gain unauthorized access to protected resources, potentially compromising backup and recovery infrastructure. With a CVSS score of 8.1 (High) and network-based attack vector, this vulnerability poses significant risk to organizations relying on Spectrum Protect for data protection.
While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity.
An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
IBM Spectrum Protect Server 8.1.0.000 through 8.1.10.000 could disclose sensitive information in nondefault settings due to occasionally not encrypting the second chunk of an object in an encrypted. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.
IBM Spectrum Protect Server 7.1 and 8.1 could disclose highly sensitive information via trace logs to a local privileged user. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.
CVE-2025-3319 is an authentication bypass vulnerability in IBM Spectrum Protect Server versions 8.1 through 8.1.26 caused by improper session authentication mechanisms. This flaw allows unauthenticated network attackers to bypass authentication and gain unauthorized access to protected resources, potentially compromising backup and recovery infrastructure. With a CVSS score of 8.1 (High) and network-based attack vector, this vulnerability poses significant risk to organizations relying on Spectrum Protect for data protection.
While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity.
An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
IBM Spectrum Protect Server 8.1.0.000 through 8.1.10.000 could disclose sensitive information in nondefault settings due to occasionally not encrypting the second chunk of an object in an encrypted. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.
IBM Spectrum Protect Server 7.1 and 8.1 could disclose highly sensitive information via trace logs to a local privileged user. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.