Description
Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access.
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Dell PowerFlex Manager is a Missing Authentication for Critical Function (CWE-306). An unauthenticated attacker who can reach the manager’s services over the network can exploit the flaw to execute arbitrary code, crash services, or modify sensitive data. The impact includes remote code execution, denial of service, information disclosure, and tampering, all of which compromise data integrity, availability, and confidentiality. The weakness allows bypassing authentication controls that should restrict access to administrative functions.

Affected Systems

Affected systems are Dell PowerFlex Manager releases prior to version 5.1.0.1. Users of the PowerFlex Manager packages that have not applied the 2026‑066 update are susceptible. The vulnerability applies to all components that provide the critical functions guarded by authentication checks.

Risk and Exploitability

The CVSS score of 8.8 reflects the high severity of the flaw, while the EPSS score of <1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV. The likely attack vector is adjacent network access; an attacker who can reach the PowerFlex Manager services using the untrusted network can exploit the missing authentication to gain remote code execution or disrupt services. The description states that an unauthenticated attacker can exploit the flaw, and this inference is directly derived from the advisory.

Generated by OpenCVE AI on June 25, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell PowerFlex Manager update documented in the Dell support article to patch the missing authentication flaw.
  • Restrict network access to the PowerFlex Manager by configuring firewall rules that allow only trusted management hosts to reach its services.
  • Segregate the PowerFlex Manager network segment and monitor for anomalous access attempts to detect and contain potential exploitation.

Generated by OpenCVE AI on June 25, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerflex
Vendors & Products Dell
Dell powerflex

Thu, 25 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Missing Authentication Enabling Remote Code Execution in Dell PowerFlex Manager

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning. Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access.

Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description Dell PowerFlex Manager, version(s) [Versions], contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access. Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning.

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Missing Authentication Enabling Remote Code Execution in Dell PowerFlex Manager

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Dell PowerFlex Manager, version(s) [Versions], contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access.
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-06-25T13:01:12.404Z

Reserved: 2026-04-01T05:04:41.954Z

Link: CVE-2026-35065

cve-icon Vulnrichment

Updated: 2026-06-17T16:09:48.606Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:03Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function