EUVD-2025-209924
GHSA-6cvj-w99f-98mh
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) a Use of a Broken or Risky Cryptographic Algorithm vulnerability in the ssh. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Protection mechanism bypass.
AnalysisAI
Broken or risky cryptographic algorithm use in Dell PowerFlex Manager's SSH component (versions ≤4.6.2) allows a locally authenticated low-privileged attacker to bypass SSH protection mechanisms, affecting both Appliance and Rack form factors. The CVSS vector (AV:L/AC:H/PR:L) reflects significant exploitation barriers: physical or logical local access is required, attack complexity is high, and impact is limited to partial confidentiality and integrity loss with no availability impact. Dell has published dual advisories (DSA-2025-434 for Appliance, DSA-2025-435 for Rack); no public exploit or CISA KEV listing exists at time of analysis.
Technical ContextAI
CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) in the SSH subsystem indicates the PowerFlex Manager server negotiates or accepts one or more deprecated cryptographic primitives - commonly legacy key exchange algorithms (e.g., diffie-hellman-group1-sha1), weak ciphers (e.g., DES, 3DES, RC4), or deprecated MAC algorithms (e.g., MD5- or SHA1-based HMACs) - that no longer meet NIST or broader industry standards. Dell PowerFlex Manager is an enterprise software-defined storage management platform. Three CPE entries are affected: the general product (cpe:2.3:a:dell:powerflex_manager:*:*:*:*:*:*:*:*), the Appliance form factor (cpe:2.3:a:dell:powerflex_manager_(appliance):*:*:*:*:*:*:*:*), and the Rack form factor (cpe:2.3:a:dell:powerflex_manager_(rack):*:*:*:*:*:*:*:*), all at versions up to and including 4.6.2. The advisory tagging as 'Authentication Bypass' suggests the weak algorithm could be leveraged to weaken session confidentiality or integrity protections established during SSH handshake.
RemediationAI
Apply the security updates described in Dell's published advisories: DSA-2025-434 for the PowerFlex Appliance (https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities) and DSA-2025-435 for the PowerFlex Rack (https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities). The exact patched version number is not specified in the available source data; consult Dell's support portal directly to confirm the minimum fixed release version before upgrading. As a compensating control where immediate patching is not feasible, restrict SSH access to PowerFlex Manager management interfaces to explicitly trusted administrative hosts via host-based or network-layer firewall ACLs, reducing the local attack surface available to low-privileged users. Additionally, review and harden the SSH server configuration to explicitly disable weak cipher suites, key exchange algorithms (e.g., diffie-hellman-group1-sha1), and deprecated MAC algorithms - however, consult Dell's guidance before modifying SSH configuration, as disabling algorithms may affect management tooling compatibility.
More from same product – last 7 days
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-p
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate director
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker o
Share
External POC / Exploit Code
Leaving vuln.today