OSNexus QuantaStor SDS Manager contains a critical SQL injection vulnerability that allows unauthenticated attackers to bypass authentication and gain administrative access.

The username field in the login endpoint lacks proper sanitization, allowing an unauthenticated remote attacker to inject SQL commands and bypass password requirements to log in as an administrator.

With a CVSS score of 9.8, this flaw allows for full administrative compromise of the storage management interface. This could result in unauthorized access to stored data, configuration changes, or the complete destruction of storage volumes, severely impacting business continuity and data integrity.

Immediate Action: Apply the latest security updates provided by OSNexus to patch the login endpoint.

Proactive Monitoring: Monitor server logs for suspicious database query strings or multiple failed login attempts followed by successful administrative sessions.

Compensating Controls: Implement a Web Application Firewall (WAF) to detect and block common SQL injection patterns targeting the management interface.

Public Exploit Available: false

This vulnerability is critical because it provides an unauthenticated path to administrative privileges. Administrators should ensure the QuantaStor SDS Manager is fully patched and shielded from direct public exposure until updates are successfully applied.