Please contact psirt@purestorage.com or via Slack #psirt-request with any questions or concerns.
For current remediation status refer to ATOM Dashboard.
Summary
Improper input validation performed during the authentication process of FlashBlade could lead to a system "Denial of Service”.
| CVE | Base CVSS 4.0 Score | Severity | Vector |
|---|---|---|---|
| CVE-2025-0052 | 8.3 | High | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L |
-
Purity//FB 3.3.0 - 3.3.11 (EOL)
-
Purity//FB 4.0.0 - 4.0.6 (EOL)
-
Purity//FB 4.1.0 - 4.1.20
-
Purity//FB 4.2.0 - 4.2.3 (EOL)
-
Purity//FB 4.3.0 - 4.3.12
-
Purity//FB 4.4.0 - 4.4.6
-
Purity//FB 4.5.0 - 4.5.2Note: If you are on an EOL Purity version, we highly recommend upgrading to a supported version to remediate this vulnerability.
Corrective Action
Affected customers will need to apply a self-service patch or upgrade their Purity to an unaffected Purity version.
-
Purity//FB 4.3.13 or later
-
Purity//FB 4.4.7 or later
-
Purity//FB 4.5.3 or later
Customers on End-Of-Life (EOL) Purity versions are highly encouraged to upgrade to a supported version which contains the above fix.
Mitigating Controls/Corrective Action
- Restrict array access to only trusted users. Everpure strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces
-
Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator
-
Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns
-
In FlashBlade //Purity version 4.4.0 onward, network policies can be configured to ensure only users from trusted IPs can access the array
Contacting Support
If you need assistance with this issue, please call Technical Services at +1 866-244-7121. If calling from outside the US, please select from the list of phone numbers here: Contact Us.
-
Apply a Pure1 online, self-service opt-in security patch bundle (preferred method).
-
Follow steps on FB KB - FlashBlade DOS Vulnerability Security Patch (security-patch-fb-2025-A).
-
Please be aware that security-patch-fb-2025-A will contain security bundle from last year (security-bundle-fb-2024-01-15), for customers who have not yet applied it. For information on the prior patch, please refer to Security Bulletin for 2024 January FlashArray and FlashBlade Security Vulnerabilities.
-
-
Purity upgrade to an unaffected Purity release.
-
Purity//FB 4.3.13 or later
-
Purity//FB 4.4.7 or later
-
Purity//FB 4.5.3 or later
Support Escalation - How To Escalate a Case
Please see Customer Escalation Procedures & Contact Pure Security for additional information.