CVE-2025-13855
Received Received - Intake
SQL Injection in IBM Storage Protect Server Allows Data Manipulation

Publication date: 2026-04-01

Last updated on: 2026-04-02

Assigner: IBM Corporation

Description
IBM Storage Protect Server 8.2.0 IBM Storage Protect Plus Server is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13855
EUVD
EUVD-2025-209149
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ibm storage_protect_server 8.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13855 is a SQL injection vulnerability affecting IBM Storage Protect Server version 8.2.0 and earlier. It occurs due to improper neutralization of special elements in SQL commands within the JSON-RPC endpoint.

An authenticated attacker can exploit this flaw by sending specially crafted SQL statements through the JSON-RPC interface, which allows them to execute backend SQL SELECT queries.

This can enable the attacker to view, add, modify, or delete administrative metadata stored in internal database tables.

Impact Analysis

This vulnerability can have significant impacts including unauthorized access and manipulation of sensitive data stored in the backend database.

  • Confidentiality impact: High, as attackers can view sensitive information.
  • Integrity impact: Low, since attackers have limited ability to modify data.
  • Availability impact: Low, meaning the system's availability is minimally affected.

Because the attack vector is network-based with low complexity and requires only low privileges, it poses a realistic threat if an attacker has authenticated access.

Detection Guidance

This vulnerability involves SQL injection through the JSON-RPC endpoint of IBM Storage Protect Server 8.2.0 and earlier versions. Detection would typically require monitoring for unusual or specially crafted SQL statements sent via the JSON-RPC interface by authenticated users.

However, no specific detection commands or tools are provided in the available information.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update IBM Storage Protect Server to version 8.2.1, which contains the fix for this SQL injection issue.

No workarounds or other mitigations are available according to the provided information.

Compliance Impact

The vulnerability allows an authenticated attacker to execute SQL injection attacks, potentially viewing, adding, modifying, or deleting sensitive administrative metadata stored in the backend database.

Such unauthorized access and manipulation of data could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over the confidentiality, integrity, and availability of sensitive information.

Specifically, the high confidentiality impact (as indicated by the CVSS score) suggests that sensitive data could be exposed, which may result in non-compliance with these regulations.

Organizations using affected IBM Storage Protect Server versions should update to the fixed version 8.2.1 promptly to mitigate risks and maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13855. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart