Dell Addresses Security Vulnerabilities in PowerScale OneFS

Dell has released a security advisory addressing multiple vulnerabilities in PowerScale OneFS, its scale-out network-attached storage operating system. The vulnerabilities could be exploited by malicious users to compromise affected systems.

The advisory provides details on several vulnerabilities, including:

• CVE-2025-27690: A use of default password vulnerability in PowerScale OneFS versions 9.5.0.0 through 9.10.1.0. An unauthenticated attacker with remote access could exploit this to take over a high privileged user account (CVSS Base Score: 9.8).
• CVE-2025-26330: An incorrect authorization vulnerability in PowerScale OneFS versions 9.4.0.0 through 9.10.0.1. An unauthenticated attacker with local access could exploit this to access the cluster with privileges of a disabled user account (CVSS Base Score: 7.0).
• CVE-2025-22471: An integer overflow or wraparound vulnerability in PowerScale OneFS versions 9.4.0.0 through 9.10.0.1. An unauthenticated attacker with remote access could exploit this to cause a denial of service (CVSS Base Score: 6.5).
• CVE-2025-26480: An uncontrolled resource consumption vulnerability in PowerScale OneFS versions 9.5.0.0 through 9.10.0.0. An unauthenticated attacker with remote access could exploit this to cause a denial of service (CVSS Base Score: 5.3).
• CVE-2025-23378: An exposure of information through directory listing vulnerability in PowerScale OneFS versions 9.4.0.0 through 9.10.0.0. A low privileged attacker with local access could exploit this to disclose information (CVSS Base Score: 3.3).
• CVE-2025-26479: An out-of-bounds write vulnerability in PowerScale OneFS versions 9.4.0.0 through 9.10.0.0. An attacker could exploit this in NFS workflows, leading to data integrity issues (CVSS Base Score: 3.1).

The advisory details the specific PowerScale OneFS versions affected by each CVE and the corresponding remediated versions. In most cases, upgrading to PowerScale OneFS version 9.10.1.1 or later will address the vulnerabilities. However, for certain vulnerabilities, specific remediated versions are available for older OneFS releases. Dell provides links to the PowerScale OneFS Downloads Area for obtaining the necessary updates.

For the high-severity CVE-2025-27690 vulnerability, the advisory provides several workarounds that can be implemented until an upgrade or patch is applied. These workarounds include:

• Adding impacted users to the “Users who cannot be modified” list.
• Setting/resetting passwords for users that are not blocked for modification and disabling them.
• Disabling the WebUI and API via CLI.
• Limiting access to the API & WebUI to trusted networks via firewall rules.

It’s important to note that some of the workarounds do not completely mitigate the risk. Dell recommends upgrading to a fixed release or applying the patch as the primary solution.

Related Posts:

• System frequent reboot/crash, Dell emergency stop BIOS update
• CVE-2024-39584: Dell BIOS Flaw Exposes Systems to Secure Boot Bypass and Arbitrary Code Execution
• Dell SmartFabric OS10 Receives Important Security Updates
• Aruba Networks fixes multiple vulnerabilities in Aruba Access Points
• Multiple Vulnerabilities Patched in Dell SmartFabric OS10 Software