CVE-2025-13855
SQL Injection in IBM Storage Protect Server Allows Data Manipulation
Publication date: 2026-04-01
Last updated on: 2026-04-02
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | storage_protect_server | 8.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13855 is a SQL injection vulnerability affecting IBM Storage Protect Server version 8.2.0 and earlier. It occurs due to improper neutralization of special elements in SQL commands within the JSON-RPC endpoint.
An authenticated attacker can exploit this flaw by sending specially crafted SQL statements through the JSON-RPC interface, which allows them to execute backend SQL SELECT queries.
This can enable the attacker to view, add, modify, or delete administrative metadata stored in internal database tables.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized access and manipulation of sensitive data stored in the backend database.
- Confidentiality impact: High, as attackers can view sensitive information.
- Integrity impact: Low, since attackers have limited ability to modify data.
- Availability impact: Low, meaning the system's availability is minimally affected.
Because the attack vector is network-based with low complexity and requires only low privileges, it poses a realistic threat if an attacker has authenticated access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection through the JSON-RPC endpoint of IBM Storage Protect Server 8.2.0 and earlier versions. Detection would typically require monitoring for unusual or specially crafted SQL statements sent via the JSON-RPC interface by authenticated users.
However, no specific detection commands or tools are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update IBM Storage Protect Server to version 8.2.1, which contains the fix for this SQL injection issue.
No workarounds or other mitigations are available according to the provided information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to execute SQL injection attacks, potentially viewing, adding, modifying, or deleting sensitive administrative metadata stored in the backend database.
Such unauthorized access and manipulation of data could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over the confidentiality, integrity, and availability of sensitive information.
Specifically, the high confidentiality impact (as indicated by the CVSS score) suggests that sensitive data could be exposed, which may result in non-compliance with these regulations.
Organizations using affected IBM Storage Protect Server versions should update to the fixed version 8.2.1 promptly to mitigate risks and maintain compliance.