DSA-2026-064: Security Update for PowerFlex Appliance Multiple Vulnerabilities
Сводка: PowerFlex Appliance remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Данная статья применяется к
Данная статья не применяется к
Эта статья не привязана к какому-либо конкретному продукту.
В этой статье указаны не все версии продуктов.
Влияние
Critical
Подробные сведения
| Third-party Component | CVEs | More Information |
| Dell PowerEdge Server BIOS | CVE-2023-31351, CVE-2024-21953, CVE-2024-21965, CVE-2024-36331, CVE-2024-21977, CVE-2024-36354, CVE-2025-0032, CVE-2025-20053, CVE-2025-24305, CVE-2025-21090, CVE-2025-20613, CVE-2025-21096, CVE-2025-22853, CVE-2025-20037, CVE-2025-20067, CVE-2025-22392, CVE-2025-20077, CVE-2025-20064, CVE-2025-20068, CVE-2025-20105, CVE-2025-20028, CVE-2025-20027, CVE-2025-20005, CVE-2025-20073, CVE-2025-0033, CVE-2025-29943, CVE-2025-29934, CVE-2024-42446, CVE-2025-22885, CVE-2023-31364 | DSA-2025-298, DSA-2025-297, DSA-2025-352, DSA-2025-351, DSA-2025-350, DSA-2025-370, DSA-2026-011, DSA-2026-075 |
| TPM | CVE-2025-2884, CVE-2026-6923 | DSA-2025-232, DSA-2026-224 |
| Intel | CVE-2025-24486, CVE-2025-25273, CVE-2025-21086, CVE-2025-26863, CVE-2025-26697, CVE-2025-24511 | https://nvd.nist.gov/vuln/search |
| kernel | CVE-2026-31431 | https://nvd.nist.gov/vuln/search |
| open ssh | CVE-2025-61984 | https://nvd.nist.gov/vuln/search |
| java | CVE-2025-50106, CVE-2025-30749 | https://nvd.nist.gov/vuln/search |
| netty | CVE-2025-55163, CVE-2025-58057 | https://nvd.nist.gov/vuln/search |
| commons-lang3 | CVE-2025-48924 | https://nvd.nist.gov/vuln/search |
| angus_smtp | CVE-2025-7962 | https://nvd.nist.gov/vuln/search |
| quarkus-vertx | CVE-2025-49574 | https://nvd.nist.gov/vuln/search |
| urllib3 | CVE-2025-50181 | https://nvd.nist.gov/vuln/search |
| Keycloak | CVE-2024-8176, CVE-2025-53066, CVE-2025-58187, CVE-2025-58188, CVE-2025-59250, CVE-2025-59375, CVE-2025-61723, CVE-2025-61725, CVE-2025-9086, CVE-2025-9187, CVE-2025-9230, CVE-2025-9162, CVE-2025-8419, CVE-2025-7784, CVE-2025-7365 | https://nvd.nist.gov/vuln/search |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22283 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-40641 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | 4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-35069 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | 5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-35068 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. | 3.5 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CVE-2026-35066 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
| CVE-2026-35067 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access. | 5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-35162 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| CVE-2026-35065 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access. | 8.8 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-32804 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Unauthorized access. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| CVE-2026-49502 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access. | 7.4 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-47477 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-56690 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure, Information exposure, and Unauthorized access. | 8.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
| CVE-2026-56689 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| CVE-2026-56688 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability during OS Repository processing to achieve arbitrary command execution as root, potentially leading to full appliance compromise and lateral movement into managed infrastructure. | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22283 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-40641 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | 4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-35069 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | 5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-35068 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. | 3.5 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CVE-2026-35066 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
| CVE-2026-35067 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access. | 5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-35162 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| CVE-2026-35065 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access. | 8.8 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-32804 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Unauthorized access. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| CVE-2026-49502 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access. | 7.4 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-47477 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-56690 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure, Information exposure, and Unauthorized access. | 8.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
| CVE-2026-56689 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| CVE-2026-56688 | Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability during OS Repository processing to achieve arbitrary command execution as root, potentially leading to full appliance compromise and lateral movement into managed infrastructure. | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Затронутые продукты и исправление
| Product | Software / Firmware | Affected Versions | Remediated Versions | Link |
| PowerFlex Appliance | IC | Versions prior to 51.391.00 | Version 51.391.01 or later | IC release |
| PowerFlex Appliance | IC | Versions prior to 48.384.01 | Version 51.384.01 or later | IC release |
| Product | Software / Firmware | Affected Versions | Remediated Versions | Link |
| PowerFlex Appliance | IC | Versions prior to 51.391.00 | Version 51.391.01 or later | IC release |
| PowerFlex Appliance | IC | Versions prior to 48.384.01 | Version 51.384.01 or later | IC release |
In the case of manual upgrade for PowerFlex Appliance, please see this link: https://www.dell.com/support/product-details/en-us/product/powerflex-appliance-int-ca-sw/drivers.
История изменений
| Revision | Date | Description |
| 1.0 | 2026-06-15 | Initial release |
| 2.0 | 2026-06-15 | Updated for enhanced presentation with no changes to content |
| 3.0 | 2026-07-10 | Added details for CVE-2026-22283, CVE-2026-40641, CVE-2026-35069, CVE-2026-35068, CVE-2026-35066, CVE-2026-35067, CVE-2026-35162, CVE-2026-35065, CVE-2026-32804, CVE-2026-49502, CVE-2024-47477, CVE-2026-56688, CVE-2026-56689, CVE-2026-56690 |
| 4.0 | 2026-07-10 | Updated for enhanced presentation with no changes to content |
Связанная информация
Правовая оговорка
Затронутые продукты
PowerFlex Appliance, ScaleIO, PowerFlex appliance Intelligent Catalog SoftwareСвойства статьи
Номер статьи: 000477555
Тип статьи: Dell Security Advisory
Последнее изменение: 09 Jul 2026
Получите ответы на свои вопросы от других пользователей Dell
Услуги технической поддержки
Проверьте, распространяются ли на ваше устройство услуги технической поддержки.