DSA-2025-204: Security Update for Dell PowerFlex Rack Multiple Third-Party Component Vulnerabilities
Summary: Dell PowerFlex Rack remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Impact
Critical
Details
| Third-party Component | CVEs | More Information |
| Dell PowerEdge Server BIOS | CVE-2024-24980, CVE-2024-24853, CVE-2023-22351, CVE-2024-21871, CVE-2023-25546, CVE-2023-42772, CVE-2024-21829, CVE-2024-21781, CVE-2023-41833, CVE-2023-43753, CVE-2024-23984, CVE-2024-24968, CVE-2024-21853, CVE-2024-38303, CVE-2024-38304, CVE-2024-21820, CVE-2024-23918, CVE-2024-25565, CVE-2024-36242, CVE-2024-24985, CVE-2024-22185, CVE-2024-21944, CVE-2024-27457, CVE-2024-21925, CVE-2024-21924, CVE-2024-21936, CVE-2024-21935, CVE-2024-21927, CVE-2023-20508, CVE-2023-20582, CVE-2023-20581, CVE-2023-31345, CVE-2024-56161, CVE-2024-38796, CVE-2024-36347, CVE-2023-20599 | DSA-2024-308, DSA-2024-383, DSA-2024-309, DSA-2024-310, DSA-2024-385, DSA-2025-085, DSA-2024-404, DSA-2025-040, DSA-2025-038, DSA-2025-112 |
| iDRAC | CVE-2023-52340, CVE-2024-42154, CVE-2026-26948 | DSA-2024-460, DSA-2026-113 |
| Apache MINA | CVE-2024-52046 | https://nvd.nist.gov/vuln/search |
| Intel Adapters | CVE-2024-24852, CVE-2024-36274 | DSA-2025-042 |
| Cisco Switches | CVE-2024-6387, CVE-2024-20286, CVE-2024-20285, CVE-2024-20284, CVE-2024-20289, CVE-2024-20413, CVE-2024-20411, CVE-2024-20397 | https://nvd.nist.gov/vuln/search |
| VMware ESXi | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 | VMSA-2025-0004 |
| OpenSSH | CVE-2023-38408 | https://nvd.nist.gov/vuln/search |
|
Proprietary Code CVE |
Description |
CVSS Base Score |
CVSS Vector String |
|
CVE-2025-36610 |
Dell PowerFlex Manager version 4.6.1 and prior, contain an SMB Signing not required vulnerability. An adjacent unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack. |
6.3 |
|
Proprietary Code CVE |
Description |
CVSS Base Score |
CVSS Vector String |
|
CVE-2025-36610 |
Dell PowerFlex Manager version 4.6.1 and prior, contain an SMB Signing not required vulnerability. An adjacent unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack. |
6.3 |
Produse afectate și măsuri de remediere
| Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
| PowerFlex rack | RCM | Versions prior to 3.7.7.0 | Version 3.7.7.0 or later | RCM release |
| PowerFlex rack | RCM | Versions prior to 3.8.2.0 | Version 3.8.2.0 or later | RCM release |
| Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
| PowerFlex rack | RCM | Versions prior to 3.7.7.0 | Version 3.7.7.0 or later | RCM release |
| PowerFlex rack | RCM | Versions prior to 3.8.2.0 | Version 3.8.2.0 or later | RCM release |
In the case of manual upgrade for PowerFlex rack, please see this link: https://www.dell.com/support/home/product-support/product/powerflex-rack-rcm-sw/drivers.
Revision History
| Revision | Date | Description |
| 1.0 | 2025-05-08 | Initial Release |
| 2.0 | 2025-07-15 | Added information for CVE-2023-20599 |
| 3.0 | 2025-07-17 | Added information for CVE-2025-36610 |
| 4.0 | 2025-11-24 | Added information for CVE-2023-38408 |
| 5.0 | 2026-03-18 | Added information for CVE-2026-26948 |