EUVD-2025-209918
GHSA-g24f-w862-679m
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionNVD
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
AnalysisAI
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors) allows a low-privileged local attacker to escalate their privileges, impacting confidentiality, integrity, and availability at a low level each (CVSS 5.3 Medium, CWE-266). Dell has published dual advisories (DSA-2025-434 and DSA-2025-435) addressing the Appliance and Rack variants respectively. No public exploit code and no active exploitation have been identified at time of analysis.
Technical ContextAI
CWE-266 (Incorrect Privilege Assignment) describes a class of flaws where software grants an entity more permissions than intended, enabling unauthorized actions beyond the user's sanctioned role. Dell PowerFlex Manager is the centralized management and orchestration platform for Dell's PowerFlex hyper-converged infrastructure (HCI) solution. Three CPE variants are confirmed affected: the general PowerFlex Manager (cpe:2.3:a:dell:powerflex_manager:*), the Appliance form factor (cpe:2.3:a:dell:powerflex_manager_(appliance):*), and the Rack form factor (cpe:2.3:a:dell:powerflex_manager_(rack):*), all at versions up to and including 4.6.2. The advisory tags also reference third-party component vulnerabilities, suggesting the root cause may originate in an underlying bundled library or system component rather than exclusively in Dell's proprietary code.
RemediationAI
Apply the security updates documented in Dell advisories DSA-2025-434 (Appliance deployments: https://www.dell.com/support/kbdoc/en-us/000391392) and DSA-2025-435 (Rack deployments: https://www.dell.com/support/kbdoc/en-us/000391568). The specific fixed version is not independently confirmed from available data - consult the advisories to obtain the exact target version. Patch available per vendor advisory. As compensating controls prior to patching, restrict local interactive and administrative access to PowerFlex Manager hosts to only the minimum set of required privileged users, audit existing local account privilege assignments for anomalous grants, and review system-level access logs for unusual privilege-related activity. Restricting local login access reduces the pool of potential exploiters but does not eliminate the flaw; it should be treated as a temporary measure pending the vendor patch.
More from same product – last 7 days
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-p
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate director
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker o
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentia
Share
External POC / Exploit Code
Leaving vuln.today