EUVD-2025-209925
GHSA-8c62-m5jv-v339
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information.
AnalysisAI
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-privileged local users, resulting in unauthorized disclosure of confidential data with high confidentiality impact per CVSS. Affected deployments span both the Appliance and Rack form factors of the platform. No public exploit code has been identified at time of analysis and CISA KEV does not list this vulnerability, though the CWE-922 root cause and the 'Authentication Bypass' tag suggest the exposed data may include credentials or tokens that could enable downstream privilege escalation or lateral movement.
Technical ContextAI
CWE-922 (Insecure Storage of Sensitive Information) describes a class of defects where an application writes credentials, cryptographic keys, session tokens, or other secrets to locations-such as world-readable files, unencrypted local databases, log files, or environment stores-that are accessible to users beyond those intended. Dell PowerFlex Manager is the centralized infrastructure management platform for Dell's PowerFlex (formerly ScaleIO) software-defined storage and hyper-converged infrastructure product line. CPE data identifies three distinct affected product SKUs: the general PowerFlex Manager (cpe:2.3:a:dell:powerflex_manager), the Appliance variant (cpe:2.3:a:dell:powerflex_manager_(appliance)), and the Rack variant (cpe:2.3:a:dell:powerflex_manager_(rack)), all at versions up to and including 4.6.2. The CVSS vector AV:L/AC:L/PR:L/UI:N indicates the storage location is reachable from a local OS session with only low-privilege credentials and no special exploitation complexity, consistent with insecure file permissions or unencrypted local credential stores.
RemediationAI
Apply the security updates detailed in Dell advisory DSA-2025-434 for PowerFlex Manager Appliance (https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities) and DSA-2025-435 for PowerFlex Manager Rack (https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities). Patch available per vendor advisory; however, the specific fixed version number was not included in the available intelligence data and should be confirmed directly against the Dell advisories before deployment. As a compensating control prior to patching, restrict local OS-level access to the PowerFlex Manager host to only the minimum required administrative accounts, audit file system permissions on configuration and credential storage paths, and review audit logs for any unexpected local account access to the management system. Note that restricting local access may impact break-glass administrative workflows and should be coordinated with operational teams.
More from same product – last 7 days
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate director
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker o
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentia
Share
External POC / Exploit Code
Leaving vuln.today