DSA-2025-208: Security Update for Dell PowerScale OneFS for Multiple Vulnerabilities
Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Details
| Third-party Component | CVEs | More Information |
| FreeBSD | CVE-2024-53580 | https://nvd.nist.gov/vuln/search |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2024-53298 | Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. | 9.8 | |
| CVE-2025-32753 | Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. | 5.3 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2024-53298 | Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. | 9.8 | |
| CVE-2025-32753 | Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. | 5.3 |
Affected Products & Remediation
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
| CVE-2024-53298, CVE-2025-32753, CVE-2024-53580 | PowerScale OneFS | Versions 9.5.0.0 through 9.10.0.1 | Version 9.10.1.2 or later | PowerScale OneFS Downloads Area |
| CVE-2024-53298, CVE-2025-32753, CVE-2024-53580 | PowerScale OneFS | Versions 9.7.0.0 through 9.7.1.7 | Version 9.7.1.8 or later | PowerScale OneFS Downloads Area |
| CVE-2024-53298 | PowerScale OneFS | Versions 9.5.0.0 through 9.5.1.2 | Version 9.5.1.4 or later | PowerScale OneFS Downloads Area |
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
| CVE-2024-53298, CVE-2025-32753, CVE-2024-53580 | PowerScale OneFS | Versions 9.5.0.0 through 9.10.0.1 | Version 9.10.1.2 or later | PowerScale OneFS Downloads Area |
| CVE-2024-53298, CVE-2025-32753, CVE-2024-53580 | PowerScale OneFS | Versions 9.7.0.0 through 9.7.1.7 | Version 9.7.1.8 or later | PowerScale OneFS Downloads Area |
| CVE-2024-53298 | PowerScale OneFS | Versions 9.5.0.0 through 9.5.1.2 | Version 9.5.1.4 or later | PowerScale OneFS Downloads Area |
Notes:
- The Affected Products and Remediation table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
- We encourage all customers to adopt the Long-Term Support (LTS) 2025 version which is 9.10.x code line, with the latest maintenance.
- For more information on LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary and Security Update Release Schedule for Supported Versions of Dell PowerScale OneFS.
Workarounds & Mitigations
| CVE ID | Workaround and Mitigation |
|
CVE-2024-53298 |
The vulnerability applies to all PowerScale product versions where NFSv3 or NFSv4 is enabled, and an export is configured.
Mitigation To mitigate the issue without disrupting client connections, reload each zone with configured NFS exports using the following CLI command: isi nfs export reload --zone=zone_name The mitigation must be reapplied whenever a zone reactivation occurs typically due to changes in IP address movement (interface state change, network pool re-configuration/rebalancing, nodes are added or removed, etc.)
Impact of Applying the Mitigation When zones are reloaded, new client mounts to affected NFS exports may experience a brief delay (less than 1s) before succeeding, while existing connections remain active and uninterrupted. Active operations are unaffected because NFS clients automatically retry requests during transient unavailability.
Note: A full product upgrade is required for permanent remediation. |
Revision History
| Revision | Date | Description |
| 1.0 | 2025-06-04 | Initial Release |
| 2.0 | 2025-06-30 | Update to include 9.5.1.4 remediated version and CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 |
| 3.0 | 2025-07-24 | Update to Workaround and Mitigation; no other changes |
| 4.0 | 2025-08-25 | Updates to Workaround and Mitigation and Additional Information sections |
| 5.0 | 2025-10-22 | Removed SupportAssist |
Acknowledgements
Dell would like to thank zzcentury from Ubisectech Sirius Team for reporting CVE-2025-32753.
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFSArticle Properties
Article Number: 000326339
Article Type: Dell Security Advisory
Last Modified: 22 Oct 2025
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.