EUVD-2025-209920
GHSA-2pcf-mwf4-9mg6
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information.
AnalysisAI
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.
Technical ContextAI
CWE-922 (Insecure Storage of Sensitive Information) describes a root cause where an application writes sensitive data - typically credentials, API tokens, session keys, or configuration secrets - to storage locations or formats without adequate access controls, such as world-readable files, unencrypted flat-file stores, or improperly permissioned directories. Dell PowerFlex Manager is an enterprise infrastructure management platform that orchestrates PowerFlex storage appliances and rack systems, and by function must handle privileged credentials for underlying hardware components. Three CPE variants are affected: cpe:2.3:a:dell:powerflex_manager (base product), cpe:2.3:a:dell:powerflex_manager_(appliance) (appliance form factor), and cpe:2.3:a:dell:powerflex_manager_(rack) (rack form factor), all at versions up to and including 4.6.2. The CVSS AV:L/PR:N combination is notable: it indicates that while a local OS foothold is required, no PowerFlex application credentials are needed, implying the sensitive data is accessible at the OS layer independent of application authentication.
RemediationAI
Apply the security updates provided by Dell in advisories DSA-2025-434 (PowerFlex Appliance, https://www.dell.com/support/kbdoc/en-us/000391392) and DSA-2025-435 (PowerFlex Rack, https://www.dell.com/support/kbdoc/en-us/000391568). The exact patched version number is not independently confirmed in available intelligence data - consult the advisory pages directly for the precise fixed release. As a compensating control pending patching, restrict OS-level local access to PowerFlex Manager appliances exclusively to authorized administrators: enforce SSH key-based authentication with no password fallback, disable or audit console accounts, remove any unnecessary local OS user accounts, and limit sudo or root-equivalent access. After patching, rotate any credentials, API keys, or tokens that may have been stored insecurely - treat all secrets managed by versions up to 4.6.2 as potentially compromised. Note that access restriction mitigates the local exploitation path but does not eliminate the underlying insecure storage defect.
More from same product – last 7 days
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-p
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate director
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker o
Share
External POC / Exploit Code
Leaving vuln.today