PowerFlex: GW Apache Tomcat vulnerability: CVE-2025-24813

Summary: PowerFlex Gateway (GW) uses Apache Tomcat for REST Gateway, PowerFlex Installer, and SNMP Trap Sender.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

CVE Details

CVE

TITLE

Description

Affected Version

Fixed Version
CVE Record: CVE-2025-24813

Apache Tomcat Remote Code Execution Vulnerability

Remote Code Execution (RCE) vulnerability that requires several conditions (e.g., writable directory, deserialization trigger, Java environment) to be met for a successful exploit.

Apache Tomcat 9.0.0.M1-9.0.98

Tomcat version 9.0.99 and higher

 

Resolution

PowerFlex version 3.x

PowerFlex SW-only deployments and PowerFlex Manager (PFxM), running GW versions 3.x.x, are not impacted by the mentioned CVE vulnerability since at least one or more of the prerequisites that are listed in the CVE Description column are not present in the GW, as it does not allow writes enabled for the default servlet.

 

PowerFlex version 4.x

An upgrade to a future Tomcat version to avoid getting this item raised in scans as a false positive is planned in PowerFlex Management Platform (PFMP) version 4.8, for PowerFlex Rack (RCM) or Appliance (IC) deployments.



Impacted Versions

PowerFlex 3.x

PFMP 4.x

Fixed In Version

PowerFlex 3.6.6  - GW running Apache Tomcat 9.0.102

PFMP 4.8

 

Affected Products

PowerFlex rack, ScaleIO
Article Properties
Article Number: 000343625
Article Type: How To
Last Modified: 11 Jul 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.