Powerflex Manager
Monthly
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-privileged local users, resulting in unauthorized disclosure of confidential data with high confidentiality impact per CVSS. Affected deployments span both the Appliance and Rack form factors of the platform. No public exploit code has been identified at time of analysis and CISA KEV does not list this vulnerability, though the CWE-922 root cause and the 'Authentication Bypass' tag suggest the exposed data may include credentials or tokens that could enable downstream privilege escalation or lateral movement.
Broken or risky cryptographic algorithm use in Dell PowerFlex Manager's SSH component (versions ≤4.6.2) allows a locally authenticated low-privileged attacker to bypass SSH protection mechanisms, affecting both Appliance and Rack form factors. The CVSS vector (AV:L/AC:H/PR:L) reflects significant exploitation barriers: physical or logical local access is required, attack complexity is high, and impact is limited to partial confidentiality and integrity loss with no availability impact. Dell has published dual advisories (DSA-2025-434 for Appliance, DSA-2025-435 for Rack); no public exploit or CISA KEV listing exists at time of analysis.
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft malicious application URLs that silently redirect targeted users to arbitrary attacker-controlled web destinations. Exploitation requires user interaction (CVSS UI:R) - a victim must follow a specially crafted link - but no authentication or special privileges are needed on the attacker's side. The primary risk is phishing: because the initial URL appears to point at a legitimate Dell infrastructure management portal, users are more likely to trust and follow it, making credential theft or sensitive data disclosure against PowerFlex administrators a realistic outcome. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker on an adjacent network to intercept and tamper with protected communications. The flaw (CWE-295) means the product fails to adequately verify peer certificates during TLS/SSL exchanges, enabling a man-in-the-middle position to read or modify in-transit management data. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors) allows a low-privileged local attacker to escalate their privileges, impacting confidentiality, integrity, and availability at a low level each (CVSS 5.3 Medium, CWE-266). Dell has published dual advisories (DSA-2025-434 and DSA-2025-435) addressing the Appliance and Rack variants respectively. No public exploit code and no active exploitation have been identified at time of analysis.
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate directory contents, potentially revealing sensitive files, configuration data, or internal path structures. Both the Appliance and Rack deployment forms are confirmed affected per Dell advisories DSA-2025-434 and DSA-2025-435. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the combination of Information Disclosure and Privilege Escalation tags suggests the exposed directory contents may facilitate further privilege escalation beyond initial information leakage.
Dell PowerFlex Manager VM, versions prior to 4.6.2.1, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account.
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-privileged local users, resulting in unauthorized disclosure of confidential data with high confidentiality impact per CVSS. Affected deployments span both the Appliance and Rack form factors of the platform. No public exploit code has been identified at time of analysis and CISA KEV does not list this vulnerability, though the CWE-922 root cause and the 'Authentication Bypass' tag suggest the exposed data may include credentials or tokens that could enable downstream privilege escalation or lateral movement.
Broken or risky cryptographic algorithm use in Dell PowerFlex Manager's SSH component (versions ≤4.6.2) allows a locally authenticated low-privileged attacker to bypass SSH protection mechanisms, affecting both Appliance and Rack form factors. The CVSS vector (AV:L/AC:H/PR:L) reflects significant exploitation barriers: physical or logical local access is required, attack complexity is high, and impact is limited to partial confidentiality and integrity loss with no availability impact. Dell has published dual advisories (DSA-2025-434 for Appliance, DSA-2025-435 for Rack); no public exploit or CISA KEV listing exists at time of analysis.
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft malicious application URLs that silently redirect targeted users to arbitrary attacker-controlled web destinations. Exploitation requires user interaction (CVSS UI:R) - a victim must follow a specially crafted link - but no authentication or special privileges are needed on the attacker's side. The primary risk is phishing: because the initial URL appears to point at a legitimate Dell infrastructure management portal, users are more likely to trust and follow it, making credential theft or sensitive data disclosure against PowerFlex administrators a realistic outcome. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker on an adjacent network to intercept and tamper with protected communications. The flaw (CWE-295) means the product fails to adequately verify peer certificates during TLS/SSL exchanges, enabling a man-in-the-middle position to read or modify in-transit management data. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors) allows a low-privileged local attacker to escalate their privileges, impacting confidentiality, integrity, and availability at a low level each (CVSS 5.3 Medium, CWE-266). Dell has published dual advisories (DSA-2025-434 and DSA-2025-435) addressing the Appliance and Rack variants respectively. No public exploit code and no active exploitation have been identified at time of analysis.
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate directory contents, potentially revealing sensitive files, configuration data, or internal path structures. Both the Appliance and Rack deployment forms are confirmed affected per Dell advisories DSA-2025-434 and DSA-2025-435. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the combination of Information Disclosure and Privilege Escalation tags suggests the exposed directory contents may facilitate further privilege escalation beyond initial information leakage.
Dell PowerFlex Manager VM, versions prior to 4.6.2.1, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account.