EUVD-2025-209921
GHSA-w3w5-rfwv-898q
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information tampering.
AnalysisAI
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker on an adjacent network to intercept and tamper with protected communications. The flaw (CWE-295) means the product fails to adequately verify peer certificates during TLS/SSL exchanges, enabling a man-in-the-middle position to read or modify in-transit management data. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Technical ContextAI
CWE-295 (Improper Certificate Validation) indicates Dell PowerFlex Manager does not properly authenticate the identity of communicating peers during TLS/SSL handshakes - typically manifesting as missing hostname verification, acceptance of untrusted or expired certificates, or skipped revocation checks. Both the Appliance (cpe:2.3:a:dell:powerflex_manager_(appliance):*:*:*:*:*:*:*:*) and Rack (cpe:2.3:a:dell:powerflex_manager_(rack):*:*:*:*:*:*:*:*) hardware form factors are affected, as is the generic PowerFlex Manager CPE. The product manages Dell PowerFlex hyperconverged infrastructure, making its management plane a sensitive communication channel. The CVSS vector AV:A restricts exploitation to adjacent network segments - the attacker must share a local network, subnet, or broadcast domain with the target.
RemediationAI
Upgrade Dell PowerFlex Manager beyond version 4.6.2 following guidance in Dell advisories DSA-2025-434 for Appliance deployments (https://www.dell.com/support/kbdoc/en-us/000391392) and DSA-2025-435 for Rack deployments (https://www.dell.com/support/kbdoc/en-us/000391568). The exact patched version number is not specified in available input data - consult the relevant Dell advisory directly to confirm the minimum safe version for your deployment form factor. Where immediate patching is not feasible, restrict access to the PowerFlex Manager management interface using VLAN segmentation or firewall ACLs to enforce strict adjacency controls, limiting the pool of hosts that can reach the management plane; note this reduces but does not eliminate risk for hosts already on the same segment. Additionally, monitoring for anomalous ARP activity or unexpected certificate presentations on management VLANs can serve as an early-warning compensating control.
More from same product – last 7 days
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-p
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate director
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentia
Share
External POC / Exploit Code
Leaving vuln.today