DSA-2025-119: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Table of Contents

Detailed Article

Impact

Details

Affected Products & Remediation

Workarounds & Mitigations

Revision History

Related Info

Legal Disclaimer

Affected Products

Provide Feedback

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Check out other resources

Impact

Critical

Details

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2025-27690	Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2025-26330	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account.	7.0	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2025-22471	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2025-26480	Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.0, contains an uncontrolled resource consumption vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2025-23378	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure.	3.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2025-26479	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an out-of-bounds write vulnerability. An attacker could potentially exploit this vulnerability in NFS workflows, leading to data integrity issues.	3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2025-27690	Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2025-26330	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account.	7.0	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2025-22471	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2025-26480	Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.0, contains an uncontrolled resource consumption vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2025-23378	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure.	3.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2025-26479	Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an out-of-bounds write vulnerability. An attacker could potentially exploit this vulnerability in NFS workflows, leading to data integrity issues.	3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed	Product	Affected Versions	Remediated Versions	Link
CVE-2025-23378	PowerScale OneFS	Version 9.4.0.0 through 9.10.0.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-26479, CVE-2025-26330, CVE-2025-22471	PowerScale OneFS	Version 9.4.0.0 through 9.10.0.1	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-26480	PowerScale OneFS	Version 9.5.0.0 through 9.10.0.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-22471	PowerScale OneFS	Version 9.4.0.0 through 9.4.0.20	Version 9.4.0.21 or later	PowerScale OneFS Downloads Area
CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378	PowerScale OneFS	Version 9.5.0.0 through 9.5.1.2	Version 9.5.1.3 or later	PowerScale OneFS Downloads Area
CVE-2025-26330, CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378	PowerScale OneFS	Version 9.7.0.0 through 9.7.1.4	Version 9.7.1.5 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.5.0.0 through 9.5.1.2	Version 9.5.1.3 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.6.0.0 through 9.7.1.6	Version 9.7.1.7 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.8.0.0 through 9.8.0.2	Version 9.8.0.3 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.9.0.0 through 9.9.0.1	Version 9.9.0.2 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.10.0.0 through 9.10.1.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area

CVEs Addressed	Product	Affected Versions	Remediated Versions	Link
CVE-2025-23378	PowerScale OneFS	Version 9.4.0.0 through 9.10.0.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-26479, CVE-2025-26330, CVE-2025-22471	PowerScale OneFS	Version 9.4.0.0 through 9.10.0.1	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-26480	PowerScale OneFS	Version 9.5.0.0 through 9.10.0.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area
CVE-2025-22471	PowerScale OneFS	Version 9.4.0.0 through 9.4.0.20	Version 9.4.0.21 or later	PowerScale OneFS Downloads Area
CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378	PowerScale OneFS	Version 9.5.0.0 through 9.5.1.2	Version 9.5.1.3 or later	PowerScale OneFS Downloads Area
CVE-2025-26330, CVE-2025-22471, CVE-2025-26480, CVE-2025-26479, CVE-2025-23378	PowerScale OneFS	Version 9.7.0.0 through 9.7.1.4	Version 9.7.1.5 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.5.0.0 through 9.5.1.2	Version 9.5.1.3 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.6.0.0 through 9.7.1.6	Version 9.7.1.7 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.8.0.0 through 9.8.0.2	Version 9.8.0.3 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.9.0.0 through 9.9.0.1	Version 9.9.0.2 or later	PowerScale OneFS Downloads Area
CVE-2025-27690	PowerScale OneFS	Version 9.10.0.0 through 9.10.1.0	Version 9.10.1.1 or later	PowerScale OneFS Downloads Area

We encourage all customers to adopt the Long-Term Support (LTS) 2025 version which is 9.10.1.x code line, with the latest maintenance release, currently MR 9.10.1.1. For more information on LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary

Workarounds & Mitigations

CVE ID

Workaround and Mitigation

CVE-2025-27690

These independent workarounds can be in place until an upgrade to a fixed release, or patch can be applied.

Note: Authentication Provider hash types can be viewed with isi auth file view System in the "Password Hash Type" entry.

Workaround 1:

Add the impacted users to the "Users who cannot be modified" list.
For clusters that have not switched to SHA256 or SHA512 hash types:

isi auth file modify System --add-unmodifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt --remove-modifiable-users=compadmin,remotesupport,ese,insightiq,www,nobody,git_daemon,isdmgmt --restrict-modifiable=true

For clusters that have switched to SHA256 or SHA512 hash types:
Add above users, but also include other file provider users with system privileges:

isi auth file modify System --add-unmodifiable-users=root,admin --remove-modifiable-users=root,admin --restrict-modifiable=true

Once the patch is applied, if you use the users, you can make them modifiable again.

Workaround 2:

For clusters that have not switched to SHA256 or SHA512 hash types.
Set/reset password for users that are not blocked for modification in the System zone file provider, as well as disabling them.

compadmin, remotesupport, ese, insightiq, www, nobody, git_daemon, isdmgmt

Workaround 3:

Disable the WebUI and API via CLI

isi http services modify Platform-API-External --enabled=false

This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH.

Workaround 4:

Limit access to API & WebUI to trusted networks via firewall rule

Enable the firewall
In "default_pools_policy" modify "rule_isi_webui" to restrict "source network" to a trusted set of networks/IPs

This does not completely mitigate the issue as it could still be abused by users with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH, as well as users on the IPs allowed through the firewall.

Revision History

Revision	Date	Description
1.0	2025-04-07	Initial Release
2.0	2025-04-07	Minor update; Formatting changes only
3.0	2025-04-09	Minor update; Removed a duplicate entry

Related Information

Legal Disclaimer

Affected Products

PowerScale OneFS

Article Number: 000300860

Article Type: Dell Security Advisory

Last Modified: 09 Apr 2025

Check if your device is covered by Support Services.

DSA-2025-119: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Impact

Details

Affected Products & Remediation

Workarounds & Mitigations

Revision History

Related Information

Legal Disclaimer

Affected Products

Article Properties

Find answers to your questions from other Dell users

Support Services

Article Properties

Find answers to your questions from other Dell users

Support Services

Welcome

Welcome to Dell

DSA-2025-119: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Detailed Article

Impact

Details

Affected Products & Remediation

Workarounds & Mitigations

Revision History

Related Info

Legal Disclaimer

Affected Products

Impact

Details

Affected Products & Remediation

Workarounds & Mitigations

Revision History

Related Information

Legal Disclaimer

Affected Products

Article Properties

Find answers to your questions from other Dell users

Support Services

Article Properties

Find answers to your questions from other Dell users

Support Services