DSA-2025-435: Security Update for Dell PowerFlex Rack Multiple Third-Party Component Vulnerabilities
Samenvatting: Dell PowerFlex Rack remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Dit artikel is van toepassing op
Dit artikel is niet van toepassing op
Dit artikel is niet gebonden aan een specifiek product.
Niet alle productversies worden in dit artikel vermeld.
Impact
Critical
Gegevens
| Third-party Component | CVEs | More Information |
| Dell PowerEdge Server BIOS | CVE-2024-31068, CVE-2024-28047, CVE-2024-39279, CVE-2024-36293, CVE-2024-28956, CVE-2024-45332, CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2024-36357, CVE-2024-36350, CVE-2024-36348, CVE-2024-33607, CVE-2025-20109, CVE-2025-20044, CVE-2024-56161, CVE-2024-25571, CVE-2024-37020, CVE-2024-21859, CVE-2024-31155 | DSA-2024-381, DSA-2025-041, DSA-2025-156, DSA-2025-181, DSA-2025-324, DSA-2025-156, DSA-2025-040, DSA-2025-042, https://nvd.nist.gov/vuln/search  |
| iDRAC | CVE-2025-26482, CVE-2025-22397, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492, CVE-2024-50602, CVE-2024-2961, CVE-2024-52533, CVE-2023-6780, CVE-2025-26466 | DSA-2025-046, DSA-2025-146, DSA-2025-145 |
| Cisco Switches | CVE-2025-20191, CVE-2025-20161, CVE-2025-20111 | https://nvd.nist.gov/vuln/search |
| VMware | CVE-2025-41225, CVE-2025-41226, CVE-2025-41227, CVE-2025-41228, CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239, CVE-2025-41241, CVE-2025-41250 | VMSA-2025-0010, VMSA-2025-0013, VMSA-2025-0014, VMSA-2025-0016 |
| Sudo | CVE-2025-32463 | https://nvd.nist.gov/vuln/search |
| Embedded Service Enabler | CVE-2025-0938, CVE-2025-31115, CVE-2024-35195, CVE-2022-40899, CVE-2024-7592, CVE-2024-2511, CVE-2024-37891, CVE-2023-32681, CVE-2024-47611, CVE-2024-6232, CVE-2020-22916, CVE-2024-3219, CVE-2024-6923, CVE-2024-6345, CVE-2023-7104, CVE-2025-26329, CVE-2024-39689 | https://nvd.nist.gov/vuln/search |
| Numpy | CVE-2021-41495 | https://nvd.nist.gov/vuln/search |
| OpenJDK | CVE-2025-21502 | https://nvd.nist.gov/vuln/search |
| OpenSSH | CVE-2023-48795 | https://nvd.nist.gov/vuln/search |
| Go | CVE-2024-24790 | https://nvd.nist.gov/vuln/search |
| PostgreSQL | CVE-2024-0985, CVE-2023-5869 | https://nvd.nist.gov/vuln/search |
| Redis | CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819 | https://nvd.nist.gov/vuln/search |
| IntelAdapters | CVE-2024-24852, CVE-2024-36274 | DSA-2025-042 |
| bundler | CVE-2020-36327 | https://nvd.nist.gov/vuln/search |
| cryptography | CVE-2023-50782 | https://nvd.nist.gov/vuln/search |
| Docker | CVE-2024-41110 | https://nvd.nist.gov/vuln/search |
| GoFiber | CVE-2024-38513 | https://nvd.nist.gov/vuln/search |
| GoGo Protobuf | CVE-2021-3121 | https://nvd.nist.gov/vuln/search |
| pgproto3, pgx | CVE-2024-27304 | https://nvd.nist.gov/vuln/search |
| glibc | CVE-2024-2961, CVE-2024-33599, CVE-2024-33600 | https://nvd.nist.gov/vuln/search |
| golang.org/x/crypto | CVE-2022-27191 | https://nvd.nist.gov/vuln/search |
| java-17-openjdk | CVE-2024-20918, CVE-2024-20932, CVE-2024-20952, CVE-2024-21147 | https://nvd.nist.gov/vuln/search |
| keycloak-core | CVE-2024-10039, CVE-2023-6841 | https://nvd.nist.gov/vuln/search |
| keycloak-quarkus-server | CVE-2024-10451 | https://nvd.nist.gov/vuln/search |
| keycloak-saml-core | CVE-2024-8698 | https://nvd.nist.gov/vuln/search |
| keycloak-services | CVE-2024-3656, CVE-2024-7341, CVE-2024-4540, CVE-2024-1132, CVE-2024-1249, CVE-2023-6291, CVE-2024-2419, CVE-2024-10270 | https://nvd.nist.gov/vuln/search |
| krb5 | CVE-2024-26458, CVE-2024-26461, CVE-2024-26462, CVE-2024-37370 | https://nvd.nist.gov/vuln/search |
| libxml2-2 | CVE-2024-56171 | https://nvd.nist.gov/vuln/search |
| nokogiri | CVE-2025-24855, CVE-2024-55549 | https://nvd.nist.gov/vuln/search |
| postgresql15 | CVE-2025-1094 | https://nvd.nist.gov/vuln/search |
| rexml | CVE-2021-28965, CVE-2024-43398 | https://nvd.nist.gov/vuln/search |
| go-grpc-compression | CVE-2024-36129 | https://nvd.nist.gov/vuln/search |
| stdlib | CVE-2022-30632, CVE-2023-45288, CVE-2024-24791, CVE-2024-34156 | https://nvd.nist.gov/vuln/search |
| Keycloak | CVE-2025-7962, CVE-2025-49574, CVE-2025-55163, CVE-2025-58057, CVE-2025-48924, CVE-2025-9162, CVE-2025-8419, CVE-2025-7784, CVE-2025-7365, CVE-2025-50106, CVE-2025-30749 | https://nvd.nist.gov/vuln/search |
| Proprietary Code CVE | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-46371 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) a Use of a Broken or Risky Cryptographic Algorithm vulnerability in the ssh. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Protection mechanism bypass. | 3.6 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
| CVE-2025-32751 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2025-32750 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2025-32749 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Incorrect Default Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 5.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2025-32747 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 5.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2025-32746 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information. | 4.0 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CVE-2025-32745 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information tampering. | 4.2 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2025-26483 | Dell PowerFlex Manager, versions 4.6.2 and prior, contains an Open Redirect Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability, leading to a targeted application user being redirected to arbitrary web URLs. The vulnerability could be leveraged by attackers to conduct phishing attacks that cause users to divulge sensitive information. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Proprietary Code CVE | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-46371 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) a Use of a Broken or Risky Cryptographic Algorithm vulnerability in the ssh. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Protection mechanism bypass. | 3.6 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
| CVE-2025-32751 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2025-32750 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2025-32749 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Incorrect Default Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 5.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2025-32747 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 5.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2025-32746 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information. | 4.0 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CVE-2025-32745 | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information tampering. | 4.2 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2025-26483 | Dell PowerFlex Manager, versions 4.6.2 and prior, contains an Open Redirect Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability, leading to a targeted application user being redirected to arbitrary web URLs. The vulnerability could be leveraged by attackers to conduct phishing attacks that cause users to divulge sensitive information. | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Getroffen producten en herstel
| Product | Affected Versions | Remediated Versions | Link |
| PowerFlex rack | Versions prior to 3.7.8.0 | Version 3.7.8.0 | RCM release |
| PowerFlex Rack | Versions prior to 3.8.3.0 | Version 3.8.3.0 | RCM release |
| Product | Affected Versions | Remediated Versions | Link |
| PowerFlex rack | Versions prior to 3.7.8.0 | Version 3.7.8.0 | RCM release |
| PowerFlex Rack | Versions prior to 3.8.3.0 | Version 3.8.3.0 | RCM release |
In the case of manual upgrade for PowerFlex rack, please see this link: https://www.dell.com/support/home/en-us/product-support/product/powerflex-rack-rcm-sw/drivers
Revisiegeschiedenis
| Revision | Date | Description |
| 1.0 | 2025-11-13 | Initial Release |
| 2.0 | 2025-11-17 | Updated CVE Identifier, Third Party Components: Added CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819 |
| 3.0 | 2025-11-24 | Updated CVE Identifier, Third Party Components: Added CVE-2024-24852, CVE-2024-36274 |
| 4.0 | 2025-11-26 | Added details for CVE-2025-41250 |
| 5.0 | 2025-12-11 | Update addressed 40 CVEs in Third Party Components |
| 6.0 | 2026-01-20 | Updated CVE Identifier, Third Party Components: Added Keycloak 11 CVEs |
Verwante informatie
Juridische verklaring van afstand
Getroffen producten
PowerFlex rack, PowerFlex rack RCM SoftwareArtikeleigenschappen
Artikelnummer: 000391568
Artikeltype: Dell Security Advisory
Laatst aangepast: 20 jan. 2026
Vind antwoorden op uw vragen via andere Dell gebruikers
Support Services
Controleer of uw apparaat wordt gedekt door Support Services.