DSA-2026-066: Security Update for PowerFlex Software Multiple Vulnerabilities
Summary: PowerFlex Software remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Bu makale şunlar için geçerlidir:
Bu makale şunlar için geçerli değildir:
Bu makale, belirli bir ürüne bağlı değildir.
Bu makalede tüm ürün sürümleri tanımlanmamıştır.
Impact
Critical
Details
| Third-party Component | CVEs | More Information |
| kernel | CVE-2026-31431 | https://nvd.nist.gov/vuln/search
|
| open ssh | CVE-2025-61984 | https://nvd.nist.gov/vuln/search
|
| java | CVE-2025-50106, CVE-2025-30749 | https://nvd.nist.gov/vuln/search |
| netty | CVE-2025-55163, CVE-2025-58057 | https://nvd.nist.gov/vuln/search |
| commons-lang3 | CVE-2025-48924 | https://nvd.nist.gov/vuln/search |
| angus_smtp | CVE-2025-7962 | https://nvd.nist.gov/vuln/search |
| quarkus-vertx | CVE-2025-49574 | https://nvd.nist.gov/vuln/search |
| urllib3 | CVE-2025-50181 | https://nvd.nist.gov/vuln/search |
| Keycloak | CVE-2024-8176, CVE-2025-53066, CVE-2025-58187, CVE-2025-58188, CVE-2025-59250, CVE-2025-59375, CVE-2025-61723, CVE-2025-61725, CVE-2025-9086, CVE-2025-9187, CVE-2025-9230, CVE-2025-9162, CVE-2025-8419, CVE-2025-7784, CVE-2025-7365 | https://nvd.nist.gov/vuln/search |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22283 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-40641 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | 4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-35069 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | 5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-35068 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. | 3.5 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CVE-2026-35066 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
| CVE-2026-35067 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access. | 5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-35162 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| CVE-2026-35065 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access. | 8.8 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-32804 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Unauthorized access. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| CVE-2026-49502 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access. | 7.4 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-47477 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22283 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-40641 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | 4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-35069 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | 5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-35068 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. | 3.5 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CVE-2026-35066 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
| CVE-2026-35067 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access. | 5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-35162 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| CVE-2026-35065 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access. | 8.8 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-32804 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Unauthorized access. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| CVE-2026-49502 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access. | 7.4 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-47477 | Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Etkilenen Ürünler ve Düzeltme
| Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
| PowerFlex Software | Software | Versions prior to 5.1.0.1 | Version 5.1.0.1 or later | RCM release |
| PowerFlex Software | Software | Versions prior to 4.5.5.2 | Version 4.5.5.2 or later | RCM release |
| Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
| PowerFlex Software | Software | Versions prior to 5.1.0.1 | Version 5.1.0.1 or later | RCM release |
| PowerFlex Software | Software | Versions prior to 4.5.5.2 | Version 4.5.5.2 or later | RCM release |
In the case of manual upgrade for PowerFlex Software, please see this link: https://www.dell.com/support/product-details/en-us/product/scaleio/drivers.
Revision History
| Revision | Date | Description |
| 1.0 | 2026-06-15 | Initial release |
| 2.0 | 2026-06-15 | Updated for enhanced presentation with no changes to content |
| 3.0 | 2026-06-23 | Updated descriptions for CVE Proprietary Code. |
Acknowledgements
CVE-2026-49502, CVE-2026-32804, CVE-2026-35065, CVE-2026-35162, CVE-2026-35067, CVE-2026-35066, CVE-2026-3506, CVE-2026-35069- Dell would like to thank brocked200 for reporting this issue.
Related Information
Yasal Uyarı
Etkilenen Ürünler
PowerFlex SoftwareÜrünler
ScaleIOMakale Özellikleri
Article Number: 000477538
Article Type: Dell Security Advisory
Son Değiştirme: 23 Haz 2026
Sorularınıza diğer Dell kullanıcılarından yanıtlar bulun
Destek Hizmetleri
Aygıtınızın Destek Hizmetleri kapsamında olup olmadığını kontrol edin.