The most alarming vulnerability (CVE-2025-27690) affects PowerScale OneFS versions 9.5.0.0 through 9.10.1.0 and involves a use of default password vulnerability.
This flaw allows unauthenticated remote attackers to compromise high-privileged accounts through a use of default password vulnerability, posing significant risks to enterprise storage infrastructure.
According to Dellβs advisory, βAn unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.β
This critical flaw carries the highest severity rating with a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that exploitation requires no special privileges or user interaction.
Additional Security Vulnerabilities
A significant vulnerability (CVE-2025-26330) affects versions 9.4.0.0 through 9.10.0.1 and involves incorrect authorization.
This flaw could allow attackers with local access to access clusters using the previous privileges of disabled user accounts.
With a CVSS score of 7.0, this vulnerability presents substantial risk to enterprise environments.
Security researchers have also identified an integer overflow vulnerability (CVE-2025-22471) affecting versions 9.4.0.0 through 9.10.0.1 that could lead to denial of service conditions.
Additionally, CVE-2025-26480 presents an uncontrolled resource consumption vulnerability that similarly enables denial of service attacks.
The vulnerabilities expose multiple attack vectors against Dellβs enterprise storage solutions. The most severe flaw allows for direct authentication bypass:
Remote attacker targets exposed PowerScale OneFS management interfaceExploitation of CVE-2025-27690 grants access to high-privileged accountsAttacker gains system-level control of storage infrastructureSecurity experts warn that organizations running unpatched PowerScale OneFS installations face significant risks to data integrity and system availability.
Mitigations recommendations >>
Dell recommends customers immediately upgrade to remediated versions. For most vulnerabilities, including the critical CVE-2025-27690, upgrading to version 9.10.1.1 or later provides protection.
For organizations unable to update immediately, Dell has provided several workarounds:
Add impacted users to the βUsers who cannot be modifiedβ list using the command
Set/reset passwords for users not blocked for modification in the System zone file provider
Disable the WebUI and API via CLI
Implement firewall rules to limit access to API & WebUI from trusted networksDell emphasizes that organizations should prioritize these updates based on both the CVSS base scores and any relevant temporal and environmental factors that could affect severity in their specific environments.
The company strongly encourages all customers to adopt the Long-Term Support (LTS) 2025 version, which is the 9.10.1.x code line, with the latest maintenance release (currently 9.10.1.1).