Skip to main content

Dell PowerFlex Manager CVE-2026-35065

HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-17 dell
Information Disclosure Denial Of Service RCE Dell Authentication Bypass Powerflex
8.8
CVSS 3.1 · Vendor: dell
Share

Severity by source

Vendor (dell) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Adjacent vector matches a management-plane endpoint, missing auth gives PR:N/UI:N, and vendor-listed RCE plus DoS plus disclosure justify H/H/H impacts.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorVendor: dell

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 15:36 vuln.today

DescriptionCVE.org

Dell PowerFlex Manager, version(s) [Versions], contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access.

AnalysisAI

Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke privileged operations without credentials, yielding code execution, denial of service, information disclosure, tampering, and unauthorized access. No public exploit identified at time of analysis, and the affected version range was not populated in the source advisory placeholder. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain foothold on adjacent management VLAN
Delivery
Discover PowerFlex Manager listener
Exploit
Send unauthenticated request to critical function
Execution
Invoke privileged operation without credentials
Persist
Execute code or alter cluster state
Impact
Disrupt storage or exfiltrate configuration
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must have layer-2/adjacent network reachability to the PowerFlex Manager management interface (CVSS AV:A) - internet-only attackers cannot reach it unless the manager has been mis-exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a high real-world priority within reachable network segments: CVSS 3.1 base 8.8 with AV:A/AC:L/PR:N/UI:N and H/H/H impacts, CWE-306 (a class historically prone to trivial exploitation once the endpoint is known), and vendor-confirmed impact spanning RCE and DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained a foothold on any host in the storage/management VLAN (e.g., via a phished admin workstation or a compromised neighboring VM) sends a crafted request directly to the unauthenticated PowerFlex Manager endpoint. With no credentials required, they invoke the privileged function to execute commands on the manager, exfiltrate cluster configuration, or disrupt storage services - no public POC is currently identified, but CWE-306 issues are typically straightforward to reproduce once the vulnerable endpoint is named.
Remediation Patch available per vendor advisory: apply the PowerFlex software update referenced in Dell DSA-2026-066 (https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities), upgrading to the fixed build Dell lists for your installed PowerFlex Manager version (exact fix version not included in the CVE record and must be read from the DSA). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Dell PowerFlex Manager installations and immediately restrict network access to trusted administrative networks only; enable comprehensive audit logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-32804 HIGH
8.1 Jun 17

Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain

CVE-2026-49502 HIGH
8.1 Jun 17

Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypas
CVE-2026-35069 HIGH
8.0 Jun 17

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL comm
CVE-2026-35067 HIGH
8.0 Jun 17

Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass
CVE-2026-22283 HIGH
7.5 Jun 17

Information disclosure in Dell PowerFlex Manager versions prior to 4.8 stems from inclusion of functionality from an unt

Share

CVE-2026-35065 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy