Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable command injection needing existing admin access (PR:H), no user interaction; root execution plus lateral movement into managed nodes justifies S:C and C/I/A:H.
Primary rating from Vendor (emc).
CVSS VectorVendor: emc
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability during OS Repository processing to achieve arbitrary command execution as root, potentially leading to full appliance compromise and lateral movement into managed infrastructure.
AnalysisAI
Root-level OS command execution in Dell PowerFlex Manager (versions prior to 5.1.0.1) lets a remote, high-privileged attacker inject operating-system commands during OS Repository processing, resulting in full appliance compromise. Because PowerFlex Manager orchestrates storage and HCI infrastructure, code execution as root also enables lateral movement into managed nodes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold high-privilege (administrative) access to Dell PowerFlex Manager (CVSS PR:H) and network reachability to its management interface (AV:N), with no user interaction needed (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 9.1 (Critical) with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H - network-reachable, low complexity, no user interaction, but requiring high privileges (PR:H), with a scope change reflecting impact beyond the appliance into managed infrastructure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted high-privilege access to PowerFlex Manager submits crafted input that is processed by the OS Repository function, embedding shell metacharacters that break out into arbitrary commands executed as root on the appliance. From that root foothold they pivot into the managed PowerFlex nodes and storage fabric. … |
| Remediation | Vendor-released patch: upgrade Dell PowerFlex Manager to version 5.1.0.1 or later, per Dell advisory DSA-2026-066 (https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all PowerFlex Manager deployments and confirm software versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Powerflex Manager
View allDell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.
SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker
SQL injection in Dell PowerFlex Manager before 5.1.0.1 lets a low-privileged, remotely authenticated user inject crafted
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.
Dell PowerFlex Manager, versions prior to 4.5.1.1, contain an improper certificate validation vulnerability. Rated mediu
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-p
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate director
Dell PowerFlex Manager VM, versions prior to 4.6.2.1, contains an Insertion of Sensitive Information into Log File vulne
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker o
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentia
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42871
GHSA-r5h9-5m8h-hw64