DSA-2026-063: Security Update for PowerFlex Rack Multiple Vulnerabilities

Resumen: PowerFlex Rack remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Este artículo se aplica a Este artículo no se aplica a Este artículo no está vinculado a ningún producto específico. No se identifican todas las versiones del producto en este artículo.

Impacto

Critical

Detalles

Third-party Component CVEs More Information
Dell PowerEdge Server BIOS CVE-2023-31351, CVE-2024-21953, CVE-2024-21965, CVE-2024-36331, CVE-2024-21977, CVE-2024-36354, CVE-2025-0032, CVE-2025-20053, CVE-2025-24305, CVE-2025-21090, CVE-2025-20613, CVE-2025-21096, CVE-2025-22853, CVE-2025-20037, CVE-2025-20067, CVE-2025-22392, CVE-2025-20077, CVE-2025-20064, CVE-2025-20068, CVE-2025-20105, CVE-2025-20028, CVE-2025-20027, CVE-2025-20005, CVE-2025-20073, CVE-2025-0033, CVE-2025-29943, CVE-2025-29934, CVE-2024-42446, CVE-2025-22885, CVE-2023-31364 DSA-2025-232, DSA-2025-298DSA-2025-297, DSA-2025-352, DSA-2025-351DSA-2025-370, DSA-2026-224, DSA-2026-011, DSA-2026-075, https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
Cisco Nexus 3000 and 9000 Series Switches CVE-2026-20171, CVE-2025-20292, CVE-2025-20290, CVE-2025-20262 https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
Intel CVE-2025-24486, CVE-2025-25273, CVE-2025-21086, CVE-2025-26863, CVE-2025-26697, CVE-2025-24511 DSA-2025-324
AMD CVE-2025-29934 DSA-2025-350
TPM CVE-2025-2884, CVE-2026-6923 DSA-2025-232, DSA-2026-224
kernel CVE-2026-31431 https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
 
open ssh CVE-2025-61984 https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
 
java CVE-2025-50106, CVE-2025-30749 https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
netty CVE-2025-55163, CVE-2025-58057 https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
commons-lang3 CVE-2025-48924 https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
angus_smtp CVE-2025-7962 https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
quarkus-vertx CVE-2025-49574 https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
urllib3 CVE-2025-50181  https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.
Keycloak CVE-2024-8176, CVE-2025-53066, CVE-2025-58187, CVE-2025-58188, CVE-2025-59250, CVE-2025-59375, CVE-2025-61723, CVE-2025-61725, CVE-2025-9086, CVE-2025-9187, CVE-2025-9230, CVE-2025-9162, CVE-2025-8419, CVE-2025-7784, CVE-2025-7365 https://nvd.nist.gov/vuln/search This hyperlink is taking you to a website outside of Dell Technologies.

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2025-32748 Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) a Host Header Injection vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to trigger redirections. 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-22283 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-40641 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35069 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35068 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. 3.5 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35066 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35067 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access. 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35162 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35065 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access. 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-32804 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Unauthorized access. 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-49502 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access. 7.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-47477 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning. 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-56690 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure, Information exposure, and Unauthorized access. 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-56689 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-56688 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability during OS Repository processing to achieve arbitrary command execution as root, potentially leading to full appliance compromise and lateral movement into managed infrastructure. 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2025-32748 Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) a Host Header Injection vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to trigger redirections. 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-22283 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-40641 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35069 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35068 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. 3.5 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35066 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35067 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access. 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35162 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-35065 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access. 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-32804 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Unauthorized access. 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-49502 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access. 7.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-47477 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning. 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-56690 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure, Information exposure, and Unauthorized access. 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-56689 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2026-56688 Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability during OS Repository processing to achieve arbitrary command execution as root, potentially leading to full appliance compromise and lateral movement into managed infrastructure. 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recomienda que todos los clientes tengan en cuenta tanto la puntuación base como cualquier otra puntuación ambiental y temporal relevante que pueda afectar la posible gravedad asociada con la vulnerabilidad de seguridad en particular.

Corrección y productos afectados

Product Software / Firmware Affected Versions Remediated Versions Link
PowerFlex Rack RCM Versions prior to 3.9.1.1 Version 3.9.1.1 or later RCM release
PowerFlex Rack RCM Versions prior to 3.8.4.1
Version 3.8.4.1 or later
RCM release
Product Software / Firmware Affected Versions Remediated Versions Link
PowerFlex Rack RCM Versions prior to 3.9.1.1 Version 3.9.1.1 or later RCM release
PowerFlex Rack RCM Versions prior to 3.8.4.1
Version 3.8.4.1 or later
RCM release

In the case of manual upgrade for PowerFlex rack, please see this link: https://www.dell.com/support/home/en-us/product-support/product/powerflex-rack-rcm-sw/drivers

Historial de revisiones

RevisionDateDescription
1.02026-06-15Initial release
2.02026-06-15Updated for enhanced presentation with no changes to content
3.02026-06-23Updated for correct relationship with the upstream
4.02026-06-23Updated for enhanced presentation with no changes to content
5.02026-06-23Updated details for CVE-2025-32748
6.02026-06-23Updated details for CVE-2025-32748
7.02026-06-23Updated details for CVE-2025-32748
8.02026-06-29Added details for CVE-2026-22283, CVE-2026-40641, CVE-2026-35069, CVE-2026-35068, CVE-2026-35066, CVE-2026-35067, CVE-2026-35162, CVE-2026-35065, CVE-2026-32804, CVE-2026-49502, CVE-2024-47477
9.02026-07-06Added details for CVE-2026-56688, CVE-2026-56689, CVE-2026-56690
10.02026-07-10Updated for enhanced presentation with no changes to content

Reconocimientos

CVE-2026-49502, CVE-2026-32804, CVE-2026-35065, CVE-2026-35162, CVE-2026-35067, CVE-2026-35066, CVE-2026-3506, CVE-2026-35069 - Dell would like to thank brocked200 for reporting this issue.

Información relacionada

Productos afectados

PowerFlex rack, PowerFlex rack RCM Software, VxRack Flex-PowerEdge 14G
Propiedades del artículo
Número del artículo: 000477548
Tipo de artículo: Dell Security Advisory
Última modificación: 09 jul. 2026
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.