EUVD-2025-209919
GHSA-xprc-xvh6-w68r
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionNVD
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
AnalysisAI
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate directory contents, potentially revealing sensitive files, configuration data, or internal path structures. Both the Appliance and Rack deployment forms are confirmed affected per Dell advisories DSA-2025-434 and DSA-2025-435. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the combination of Information Disclosure and Privilege Escalation tags suggests the exposed directory contents may facilitate further privilege escalation beyond initial information leakage.
Technical ContextAI
CWE-276 (Incorrect Default Permissions) indicates that directories or files within the PowerFlex Manager application are configured with overly permissive default access controls, enabling directory listing - the ability to browse and enumerate directory trees without explicit authorization. This is a server-side misconfiguration where the web or management interface fails to restrict index generation on accessible paths. Affected products, per CPE strings, include three distinct deployment forms: Dell PowerFlex Manager (generic), PowerFlex Manager Appliance, and PowerFlex Manager Rack, all running versions at or below 4.6.2. Directory listing vulnerabilities typically expose configuration files, log files, backup archives, or internal path structures that feed subsequent attack phases.
RemediationAI
Upgrade Dell PowerFlex Manager to a version beyond 4.6.2 as directed by the applicable Dell advisory: for Appliance deployments, consult DSA-2025-434 at https://www.dell.com/support/kbdoc/en-us/000391392; for Rack deployments, consult DSA-2025-435 at https://www.dell.com/support/kbdoc/en-us/000391568. The exact patched version is not independently confirmed from the provided data - contact Dell support or review the advisories directly to confirm the target upgrade version. As a compensating control pending patching, restrict network-level access to the PowerFlex Manager management interface to authorized administrative subnets only, which would limit exposure regardless of whether the attack vector is local or remote. Additionally, audit web server or application server configuration to explicitly disable directory indexing on all paths served by PowerFlex Manager. Note that network segmentation does not remediate the root CWE-276 permission misconfiguration and should be treated as a temporary measure only.
More from same product – last 7 days
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-p
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker o
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentia
Share
External POC / Exploit Code
Leaving vuln.today