TL;DR
Dell has patched a batch of flaws in PowerFlex Manager. The most severe, CVE-2026-56688, enables PowerFlex command execution as root. It carries a CVSS score of 9.1. So far, no public exploitation or proof-of-concept has been confirmed.
Why it matters
PowerFlex Manager runs software-defined storage inside enterprise data centers. A root-level break-in there is serious. An attacker who gains that access can take over the entire appliance. From there, they can move sideways into managed infrastructure.
The advisory bundles more than a dozen CVEs in one release. Several rate high, including CVE-2026-35065 at 8.8 and CVE-2026-32804 at 8.1. Together, these bugs widen exposure across authentication, access control, and SQL handling. As a result, defenders should treat the whole update as urgent.
How the attack works
CVE-2026-56688 is an OS command injection flaw. It sits in the way PowerFlex Manager handles OS Repository processing. Because input is not neutralized, crafted values reach a system command. Therefore, a high-privileged attacker with remote access can run arbitrary commands as root.
This PowerFlex command execution path can lead to full appliance compromise. The related SQL injection and authentication bugs follow a similar theme of poor input handling. We are not publishing exploit code or step-by-step instructions.
Exploitation status
Dell reports no evidence of attacks in the wild. No public proof-of-concept exists at publication. Even so, the high scores make these flaws a strong target. Attackers often study vendor advisories to build their own exploits. Patch quickly, before that window closes.
Affected versions
The flaws affect PowerFlex Software before version 5.1.0.1. A second branch, versions before 4.5.5.2, is also affected. According to NVD, the CVSS scores span from 3.5 up to 9.1 across the set.
Dell lists both PowerFlex Software branches in scope. The advisory covers proprietary code flaws across many components. Some CVEs need only adjacent network access. Others need remote access with low or no privileges. This range means many deployment types face some risk.
Patch and mitigation
Dell urges upgrades without delay. Move PowerFlex Software to 5.1.0.1 or later. For the older branch, update to 4.5.5.2 or later. Both fixes ship through the RCM release.
Until you patch, limit network reach to the management interface. Restrict console access to trusted admins only.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.