CVE-2025-43992 - Vulnerability Details

- Authentication Bypass in Geo Replication Allows Unauthorized Data Access

Description

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by assumed-immutable data vulnerability in Geo replication. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data in transit.

Published: 2026-05-11

Score: 5.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authentication bypass exists in the Geo replication feature of Dell ECS and ObjectScale, where an attacker can assume data is immutable and exploit that assumption to override authentication checks. This weakness allows an unauthenticated remote attacker to gain unauthorized access to data that is being transferred between replication sites, potentially exposing sensitive information. The flaw belongs to the CWE-302 category, indicating a subverted authentication weakness that can lead to confidentiality breaches.

Affected Systems

Affected are Dell ECS versions 3.8.1.0 through 3.8.1.7 and any Dell ObjectScale deployment running a version earlier than 4.3.0.0. These systems enable inter‑site Geo replication and, if not updated, can be vulnerable to an unauthorized data‑access exploit.

Risk and Exploitability

The CVSS score of 5.6 classifies this vulnerability as moderate in severity. The EPSS score below 1% implies a very low but nonzero probability of exploitation, and the issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote access to the replication interface; an unauthenticated attacker who can reach the Geo replication endpoints could trigger the bypass, thereby retrieving data in transit. The threat remains limited to systems that have the vulnerable range of ECS or ObjectScale installed and are exposed to network traffic used for replication.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dell

ECS

unaffected

Version	Status	Constraints
`0`	affected	< 4.3.0.0 or later

Dell

ObjectScale

unaffected

Version	Status	Constraints
`0`	affected	< 4.3.0.0 or later

No data.

Vendor Product Confidence Versions

Dell

Ecs

100%

Version	Status	Scheme	Platform
`[0,4.3.0.0)`	affected	semver	—

Dell

Objectscale

100%

Version	Status	Scheme	Platform
`[0,4.3.0.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Dell ECS to a version newer than 3.8.1.7, ensuring the Geo replication authentication mechanism is patched
Upgrade Dell ObjectScale to version 4.3.0.0 or later to remove the vulnerable replication logic
Restrict network access to Geo replication endpoints to authorized hosts using firewall rules or IAM policies as an interim measure
Monitor logs for anomalous replication traffic that could indicate exploitation attempts

Generated by OpenCVE AI on May 11, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00088.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.dell.com/support/kbdoc/en-us/000462117/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities-1

History

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dell Dell ecs Dell objectscale
Vendors & Products		Dell Dell ecs Dell objectscale

Mon, 11 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Title		Authentication Bypass in Geo Replication Allows Unauthorized Data Access

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by assumed-immutable data vulnerability in Geo replication. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data in transit.
Weaknesses		CWE-302
References		https://www.dell.com/support/kbdoc/en-us/000462117/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities-1
Metrics		cvssV3_1 `{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Dell Ecs Objectscale

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2026-05-11T09:27:36.435Z

Updated: 2026-05-12T13:43:30.327Z

Reserved: 2025-04-21T05:03:43.635Z

Link: CVE-2025-43992

Vulnrichment

Updated: 2026-05-12T13:43:26.551Z

NVD

Status : Awaiting Analysis

Published: 2026-05-11T10:16:12.727

Modified: 2026-05-12T14:17:10.613

Link: CVE-2025-43992

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T09:23:21Z

Weaknesses

CWE-302

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object