Skip to main content

PowerFlex Manager CVE-2026-40641

MEDIUM
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-06-17 dell
Dell Information Disclosure Powerflex
4.8
CVSS 3.1 · Vendor: dell
Share

Severity by source

Vendor (dell) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

AV:N for network-accessible management interface; AC:H because exploiting broken crypto requires MitM network positioning; PR:N as the cryptographic channel weakness is pre-authentication; C:L/I:L reflect partial disclosure and tampering without full system compromise; A:N as no availability impact is described.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorVendor: dell

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 15:39 vuln.today

DescriptionCVE.org

Dell PowerFlex Manager, version(s) 4.6.0.1, contain(s) an Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.

AnalysisAI

Broken or risky cryptographic algorithm use in Dell PowerFlex Manager 4.6.0.1 exposes network-accessible infrastructure management communications to potential interception and modification. Remote unauthenticated attackers who achieve the requisite network positioning - consistent with the CVSS AC:H rating - could exploit weak or deprecated cryptographic primitives to partially disclose sensitive management data (C:L) or tamper with communications in transit (I:L). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain access to management network segment
Delivery
Establish MitM position via ARP spoofing or rogue routing
Exploit
Intercept PowerFlex Manager encrypted communications
Execution
Exploit broken cryptographic algorithm to decrypt or forge traffic
Impact
Extract sensitive management data or inject tampered commands
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates exploitation requires network reachability to the PowerFlex Manager management interface with no authentication and no user interaction, but demands high attack complexity - specifically, the attacker must achieve a favorable network position (e.g., MitM on the management segment, ARP spoofing, or rogue DNS) to interact with the broken cryptographic channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.8 (Medium) reflects a constrained risk profile: AV:N confirms network reachability, but AC:H is the critical dampening factor - exploitation requires the attacker to satisfy specific preconditions, most plausibly a man-in-the-middle (MitM) network position within the management segment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the network segment hosting Dell PowerFlex Manager - for example, through a compromised host on a shared management VLAN or via ARP spoofing - intercepts TLS or other encrypted management traffic and exploits the weak cryptographic algorithm to decrypt session data or forge management commands. No public exploit code exists for this specific CVE, but tooling for exploiting deprecated TLS cipher suites (e.g., BEAST, SWEET32, POODLE variants) is widely available and could be adapted depending on which algorithm is broken. …
Remediation Patch available per Dell vendor advisory DSA-2026-066 at https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities; the exact patched version number is not specified in the available intelligence and should be confirmed directly from the advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35065 HIGH
8.8 Jun 17

Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke pr
CVE-2026-32804 HIGH
8.1 Jun 17

Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain

CVE-2026-49502 HIGH
8.1 Jun 17

Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypas
CVE-2026-35069 HIGH
8.0 Jun 17

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL comm
CVE-2026-35067 HIGH
8.0 Jun 17

Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass

Share

CVE-2026-40641 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy