Skip to main content

Dell ECS and ObjectScale EUVD-2025-209757

| CVE-2025-43992 MEDIUM
Authentication Bypass by Assumed-Immutable Data (CWE-302)
2026-05-11 dell GHSA-g6xr-2p64-fh4g
Authentication Bypass Dell
5.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
May 11, 2026 - 11:01 EUVD
Analysis Generated
May 11, 2026 - 10:31 vuln.today
CVE Published
May 11, 2026 - 09:27 nvd
MEDIUM 5.6

DescriptionNVD

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by assumed-immutable data vulnerability in Geo replication. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data in transit.

AnalysisAI

Authentication bypass in Dell ECS Geo replication (versions 3.8.1.0-3.8.1.7) and Dell ObjectScale (prior to 4.3.0.0) allows unauthenticated remote attackers to access data in transit by exploiting assumed-immutable data assumptions. The vulnerability affects the replication authentication mechanism, enabling unauthorized data exposure without requiring valid credentials or user interaction.

Technical ContextAI

Dell ECS (Elastic Cloud Storage) and ObjectScale are object storage platforms that implement Geo replication for data redundancy across geographic sites. The vulnerability resides in the Geo replication authentication logic, which relies on data that should be cryptographically bound or immutable (likely tokens, signatures, or session identifiers per CWE-302: Authentication Using Assumed-Immutable Data). An attacker can forge or tamper with authentication credentials by modifying data assumed to be immutable, circumventing the replication handshake. The affected CPE strings indicate all versions of ECS 3.8.1.0 through 3.8.1.7 and all ObjectScale versions before 4.3.0.0 are vulnerable.

RemediationAI

For Dell ECS, upgrade to the first patched version following 3.8.1.7; consult Dell DSA-2026-047 for exact patched version availability. For Dell ObjectScale, upgrade to version 4.3.0.0 or later. If immediate patching is not feasible, implement network segmentation to restrict Geo replication traffic to trusted, authenticated peers only - use firewall rules or VPN tunnels to control replication endpoints and prevent unauthorized data-in-transit access. Additionally, monitor replication authentication logs for anomalous handshake failures or unexpected peer connections. These compensating controls reduce exposure but do not eliminate the underlying vulnerability; patching remains the definitive remediation. Verify patch application with vendor documentation and perform regression testing on replication functionality before full deployment.

More from same product – last 7 days

CVE-2025-26483 MEDIUM
6.1 May 22

Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft

CVE-2025-32751 MEDIUM
5.5 May 22

Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-p
CVE-2025-32747 MEDIUM
5.3 May 22

Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors
CVE-2025-32749 MEDIUM
5.3 May 22

Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate director
CVE-2025-32745 MEDIUM
4.2 May 22

Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker o

Share

EUVD-2025-209757 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy