BRMS Isn’t The Only Backup Product With A Security Problem

July 21, 2025 Alex Woodie

IBM last month patched a serious security flaw in BRMS, the built-in backup and recovery facility that it ships with the IBM i operating system. The flaw is the latest in a series of security flaws uncovered in backup tools, which cyber criminals appear to be now targeting.

If you’re a regular reader of Doug Bidwell’s IBM i PTF Guide – and really, if you are responsible for managing an IBM i environment, you should be reading it regularly – then you already knew about the security flaw in BRMS. Bidwell covered the flaw and the associated emergency PTF for IBM i versions 7.4 and 7.5 in the June 16 edition of the IBM i PTF Guide.

The BRMS flaw, assigned the number CVE-2025-33108, is a nasty one. The vulnerability, which was disclosed and patched by IBM on June 13, could enable an attacker to run an unqualified library call to gain elevated privileges on the system, which could allow them to run their own code. It was given a CVSS Base score of 8.5, reflecting an elevated potential for harm.

But BRMS isn’t the only backup tool that has recently been discovered to harbor a security flaw. HPE disclosed multiple critical vulnerabilities affecting its StoreOnce data protection platform a week before IBM disclosed the BRMS flaw. These flaws could let remote attackers bypass authentication controls, execute malicious code, and access sensitive enterprise data.

Dell disclosed two major vulnerabilities in its PowerScale OneFS storage operating system on the same day that HPE disclosed its flaw. The most critical vulnerability could enable unauthenticated attackers to gain full, unauthorized access to the enterprise file system.

In late April, Commvault disclosed two vulnerabilities in its products that were being actively exploited in the wild. These include CVE-2025-34028, which describes a flaw in the Commvault Command Center that scored a perfect 10 on the CVSS Base score, as well as CVE-2025-3928, which describes a flaw in a Commvault Web server with a CVSS Base score of 8.7.

The emergence of security flaws in backup software is something that the folks at the security software firm Continuity Software are following closely.

“Cybercriminals are actively targeting backup software, and this trend is accelerating,” Yaniv Valik, vice president of product management at Continuity Software, tells IT Jungle. “Continuity’s threat intelligence and field research have observed a significant rise in exploits aimed specifically at backup and storage infrastructure, often as part of multi-stage ransomware campaigns.”

The security flaws in backup products are being actively exploited, Valik says. For instance, UnitedHealth suffered a major ransomware attack that forced the company to perform a complete rebuild on its systems, he says. When the health insurance company failed to sequester its backups with network segmentation or infrastructure gapping, the attackers exploited security flaws to lock up the backups, thereby preventing the company from recovering its systems, he says.

Another health company suffering from security flaws in backup software is the Bolton Walk-In Clinic in Ontario, Canada. Valik says a misconfigured backup system exposed patient data. “It was originally identified in August,” he says. “Four months later, the backup was still misconfigured and exposing patient data. Some of this data goes back more than a decade.”

Hackers attacked the National Health Laboratory Service (NHLS) servers in South Africa and deleted their backups. Some of the most successful attacks targeting backup software and NAS devices have involved Akira malware. “In fact, six out of the seven ransomware attacks in Finland in December contained the Akira malware,” Valik says.

Backup products are critical components in enterprise IT. While there’s no way to completely eliminate the risk that the backup product you use contains a security vulnerability, there are other steps you can take to minimize risk. Properly configuring server settings is arguably the best way to protect oneself from cybercrime, no matter what operating system is involved. It’s also a good idea to have systems set up to ensure that you can detect when you have been compromised.

Security software vendors like Continuity Software offer additional layers of protection. The Israeli-American company develops and sells a product called StorageGuard that analyzes the security configuration of storage and backup products to ensure that they’re working as intended.

StorageGuard actively monitors the configuration of backup and storage products from more than a dozen providers. In addition to the backup vendors mentioned above, it supports products from NetApp, Hitachi Vantara, Pure Storage, Rubrik, Veritas, Brocade, Cisco, Veeam, Cohesity, Infinidat, VMware, AWS, and Microsoft Azure. When it detects a deviation from a secure baseline, the product notifies the user and helps him remediate the issue.

The more cybercriminals succeed with attacking backup products, the more attacks we’re likely to have, Valik says.

“Threat actors understand that by compromising backup systems, they can disable an organization’s ability to recover – dramatically increasing the pressure to pay ransom demands and maximizing the impact of the breach,” he says. “This isn’t theoretical. Multiple vulnerabilities in leading backup products – including those from IBM – have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, confirming they are being used in real-world attacks.”

Many of these vulnerabilities stem from poor patching practices, such as improper authentication controls and misconfigured permissions, Valik says. “However, the fact that these flaws are being actively exploited in the wild shows that threat actors are succeeding in weaponizing them,” he says.

StorageGuard supports IBM i and the widely used BRMS product, but it supports a host of other backup and storage products used in IBM i environments, including Storage FlashSystem, Storage Fusion HCI System, Storage Scale System, Storage Ceph, Storage DS8000, Storage Protect (Tivoli Storage Manager), and Storage Defender, among others.

“Many of Continuity’s enterprise customers run IBM i systems, and StorageGuard integrates into these environments to help harden their configurations and proactively detect vulnerabilities,” Valik says.

The good news is that it appears IBM i shops have gotten religion when it comes to security. The latest State of IBM i Security report from Fortra suggests that IBM i shops are “attacking” their security vulnerabilities and adopting better, safer system configurations. However, in the dynamic world of cybersecurity, nothing stays the same for long. Today’s strength can turn into tomorrow’s weakness. The only path to the security promised land is elevated and sustained vigilance.

RELATED STORIES

IBM i Shops “Attacking” Security Concerns, Study Shows

Security Gaining Attention On IBM i, But More Progress Needed