214
CVEs
8
Critical
95
High
1
KEV
1
PoC
56
Unpatched C/H
52.3%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
8
HIGH
95
MEDIUM
95
LOW
10
Monthly CVE Trend
Affected Products (30)
Powerscale Onefs
21
Unity Operating Environment
19
Linux Kernel
15
Smartfabric Os10
14
Powerprotect Data Manager
13
Wyse Management Suite
13
Data Domain Operating System
10
Cloudlink
8
Powerflex Manager
8
Powerflex Manager Rack
7
Alienware Command Center
7
Thinos
7
Powerflex Manager Appliance
7
Supportassist Os Recovery
5
Ubuntu
5
Objectscale
5
Elastic Cloud Storage
5
Storage Manager
5
Secure Connect Gateway
4
Networker
4
Unisphere For Powermax
4
Precision 3490 Firmware
3
Precision 3590 Firmware
3
Recoverpoint For Virtual Machines
3
Open Redirect
3
Latitude 7650 Firmware
3
Latitude 7350 Firmware
3
Latitude 5550 Firmware
3
Latitude 5350 Firmware
3
Latitude 7350 Detachable Firmware
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-22769 | Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contains hardcoded credentials (CVE-2026-22769, CVSS 10.0) that allow unauthenticated remote attackers with knowledge of the credentials to gain root-level access to the underlying operating system. KEV-listed, this vulnerability exposes disaster recovery infrastructure to complete compromise, potentially affecting the integrity of backup and replication data. | CRITICAL | 10.0 | 34.2% | 134 |
KEV
|
| CVE-2024-53298 | CVE-2024-53298 is a critical missing authorization vulnerability in Dell PowerScale OneFS NFS export functionality that allows unauthenticated remote attackers to gain unauthorized filesystem access without authentication. Affected versions range from 9.5.0.0 through 9.10.0.1, and successful exploitation enables arbitrary file read, modification, and deletion, leading to complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses severe risk to unpatched Dell PowerScale deployments; KEV status and active exploitation details require vendor advisory verification. | CRITICAL | 9.8 | 0.3% | 49 |
No patch
|
| CVE-2026-40636 | Hard-coded credentials in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale <4.3.0.0 allow unauthenticated filesystem access. Despite CVSS 9.8 (network vector), the description explicitly states 'local access' is required, creating a critical discrepancy between scoring and actual attack surface. Attackers with local system access can leverage embedded credentials to gain unauthorized filesystem access. No active exploitation (CISA KEV) or public exploit confirmed at time of analysis. Dell advisory DSA-2026-047 addresses the vulnerability. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-26944 | Missing authentication in Dell PowerProtect Data Domain 7.7.1.0-8.6 and LTS releases allows remote unauthenticated attackers to execute arbitrary commands with root privileges when combined with user interaction. Affects enterprise backup appliances across multiple release branches including LTS2025 (8.3.1.0-8.3.1.20) and LTS2024 (7.13.1.0-7.13.1.60). CVSS 8.8 with network vector but requires user interaction (UI:R), reducing immediate automation risk. No EPSS or KEV data available at time of analysis, indicating vulnerability is newly disclosed. Dell security advisory DSA-2026-060 confirms patch availability. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-26358 | Dell Unisphere for PowerMax 10.2 lacks proper authorization checks, allowing authenticated remote attackers to bypass access controls and gain unauthorized administrative capabilities. This missing authorization vulnerability (CWE-862) affects users who have any valid account credentials on affected systems. No patch is currently available, making this a critical risk for organizations operating vulnerable PowerMax installations. | HIGH | 8.8 | 0.1% | 44 |
No patch
|
| CVE-2026-26359 | Dell Unisphere for PowerMax 10.2 contains a path traversal vulnerability that allows authenticated remote attackers to overwrite arbitrary files on the system. This HIGH severity flaw (CVSS 8.8) requires only low privileges and network access to exploit, potentially enabling complete system compromise. No patch is currently available for this vulnerability. | HIGH | 8.8 | 0.1% | 44 |
No patch
|
| CVE-2026-22765 | Dell Wyse Management Suite versions prior to 5.5 suffer from improper access controls that allow authenticated remote attackers to escalate their privileges. An attacker with low-level credentials can bypass authorization checks to gain high-privilege access to the system, potentially compromising confidentiality, integrity, and availability. No patch is currently available for this vulnerability. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-25215 | A security vulnerability in the cv_close functionality of Dell ControlVault3 (CVSS 8.8). High severity vulnerability requiring prompt remediation. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2025-24922 | Stack-based buffer overflow vulnerability in Dell ControlVault3's securebio_identify functionality that allows local attackers with low privileges to execute arbitrary code with high impact across the system. The vulnerability affects ControlVault3 versions prior to 5.15.10.14 and ControlVault3 Plus versions prior to 6.2.26.36, and can be triggered via a specially crafted API call with a malicious cv_object parameter. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2025-25050 | CVE-2025-25050 is an out-of-bounds write vulnerability in Dell ControlVault3 and ControlVault 3 Plus that allows a local, authenticated attacker to trigger memory corruption through a specially crafted API call to the cv_upgrade_sensor_firmware function. An attacker with local access and low privileges can achieve high-impact compromise including complete confidentiality, integrity, and availability violations. The vulnerability affects all versions prior to ControlVault3 5.15.10.14 and ControlVault 3 Plus 6.2.26.36; exploitation requires local access and valid user credentials but no user interaction. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2025-36593 | Dell OpenManage Network Integration, versions prior to 3.8, contains an Authentication Bypass by Capture-replay vulnerability in the RADIUS protocol. An attacker with local network access could potentially exploit this vulnerability to forge a valid protocol accept message in response to a failed authentication request. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-22273 | Privilege escalation in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.2.0.0 stems from hardcoded default credentials in the operating system that a remote authenticated attacker can leverage to gain elevated privileges. An attacker with low-level access can exploit this vulnerability to achieve full system compromise including confidentiality, integrity, and availability impacts. No patch is currently available for affected versions. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-43888 | Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2026-24502 | Command \| Intel Vpro Out Of Band versions up to 4.7.0 is affected by uncontrolled search path element (CVSS 8.8). | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-36574 | Dell Wyse Management Suite versions prior to 5.2 contain an Absolute Path Traversal vulnerability (CWE-36) that allows unauthenticated remote attackers to read arbitrary files and gain unauthorized access without user interaction. The CVSS 8.2 score reflects high confidentiality impact and low integrity impact, with network-based attack vector requiring no privileges or interaction. No KEV/CISA active exploitation data, EPSS score, or public POC is currently confirmed in available intelligence, but the unauthenticated remote nature and path traversal primitive warrant immediate patching. | HIGH | 8.2 | 1.2% | 42 |
|