Description
Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files.
Published: 2026-02-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite via External Control of File Name or Path
Action: Patch
AI Analysis

Impact

A remote attacker with limited privileges can craft requests to Dell Unisphere for PowerMax that exploit an external control of file name or path flaw. This weakness, classified as CWE‑73, permits the attacker to overwrite any file the application identifies, potentially corrupting configuration files or installing malicious code. The impact is the loss of data integrity, and in a worst‑case scenario, it could compromise the entire storage system.

Affected Systems

Dell PowerMax systems running Dell Unisphere for PowerMax version 10.2 are impacted. The vulnerability exists in both the core Unisphere product and the EEM component handling file operations.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the EPSS score of less than 1% suggests that, as of now, exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a low‑privileged attacker accessing the Unisphere web interface remotely; no exploit code is publicly documented, but the flaw can be used in a targeted attack if the attacker can reach the interface.

Generated by OpenCVE AI on April 17, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell security update that patches Unisphere for PowerMax to version 10.2 or later; download the update from Dell’s support site.
  • Restrict Unisphere web interface access to trusted administrative networks and ensure that only users with properly scoped privileges can connect remotely.
  • Enforce strong authentication, session timeouts, and limit exposed management ports to reduce the window of opportunity for attackers.

Generated by OpenCVE AI on April 17, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Title Unisphere for PowerMax External File Path Control Vulnerability

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dell:unisphere_for_powermax:*:*:*:*:*:*:*:*
cpe:2.3:a:dell:unisphere_for_powermax:*:*:*:*:eem:*:*:*

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powermax Os
Dell unisphere For Powermax
Vendors & Products Dell
Dell powermax Os
Dell unisphere For Powermax

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files.
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powermax Os Unisphere For Powermax
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-02-26T14:44:14.935Z

Reserved: 2026-02-13T18:05:27.826Z

Link: CVE-2026-26359

cve-icon Vulnrichment

Updated: 2026-02-25T16:00:47.192Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T09:16:25.573

Modified: 2026-02-20T20:58:50.263

Link: CVE-2026-26359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses