ZeroPath at Black Hat USA 2026

Dell PowerFlex Manager CVE-2026-35065: Brief Summary of a Pre-Authentication Management Plane Vulnerability

A brief summary of CVE-2026-35065, a CVSS 8.8 missing authentication flaw in Dell PowerFlex Manager that allows unauthenticated attackers on the management VLAN to execute code and compromise the storage cluster. Includes patch information and threat intelligence context.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-17

Dell PowerFlex Manager CVE-2026-35065: Brief Summary of a Pre-Authentication Management Plane Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A critical management function in Dell PowerFlex Manager can be invoked by any unauthenticated attacker sitting on the management network segment, with no credentials, no user interaction, and no special conditions required. Given that PowerFlex Manager is the orchestration layer for Dell's software defined storage platform, capable of scaling to over 2,000 nodes and 240 million IOPS, this missing authentication flaw (CVE-2026-35065, CVSS 8.8) effectively hands an adjacent attacker the command and control channel for the entire storage cluster.

Dell PowerFlex, formerly known as ScaleIO and VxFlex OS, is a commercial software defined storage product that pools direct attached storage from x86 servers into shared block storage over IP networks. It is deployed across enterprise environments running VMware, Hyper-V, Xen, and KVM, supporting high performance workloads including Oracle databases. PowerFlex Manager specifically provides the UI and REST API for lifecycle management of PowerFlex rack and appliance deployments, making it the single pane of glass for cluster operations.

Technical Information

Root Cause: CWE-306 Missing Authentication for Critical Function

CVE-2026-35065 falls under CWE-306, which describes a condition where software performs a critical function, one that uses significant system resources or modifies privileged state, without performing any authentication of the caller. As MITRE documents, the consequence is that any attacker who can reach the function inherits the privilege level of that function. The typical technical outcomes are reading or modification of sensitive data, administrative privilege acquisition, and arbitrary code execution.

MITRE identifies two recurring root causes for CWE-306: omission of security tactics during architecture and design, and creation of a secondary channel that was assumed to be private but is reachable by attackers. The latter pattern, where "internal network only" is conflated with "authentication not required," is a recurring antipattern in management appliances and matches the Adjacent attack vector on this advisory precisely.

What PowerFlex Manager Controls

PowerFlex Manager hosts the cluster user interface and the REST API used for lifecycle management of PowerFlex rack and appliance deployments. It is the orchestration layer for the entire storage infrastructure. A missing authentication defect on this component means an attacker can interact with cluster management operations, including deployment, configuration, and potentially destructive actions, without ever presenting credentials.

CVSS Vector Decomposition

The base score of 8.8 derives from the vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Each metric maps to a specific operational reality:

MetricValueOperational Meaning
Attack Vector (AV)AdjacentAttacker must be on the same logical segment as the management plane
Attack Complexity (AC)LowNo special conditions, no race, no configuration prerequisite
Privileges Required (PR)NoneNo credential of any kind is required
User Interaction (UI)NoneNo user needs to be tricked
Scope (S)UnchangedImpact stays inside the vulnerable component boundary
Confidentiality (C)HighTotal disclosure of managed resources
Integrity (I)HighTotal modification of managed resources
Availability (A)HighTotal disruption of managed services

The Adjacent vector rather than Network is the only metric preventing this from reaching CVSS 9.0+. In practice, "adjacent" maps to the PowerFlex management VLAN.

Attack Surface and Exploitation Flow

Dell's architectural guidance places PowerFlex Manager inside a dedicated "Management control plane" on a "PowerFlex management cluster" reached via dedicated management switches (for example, Dell PowerSwitch S3248T-ON). The "adjacent network access" requirement therefore means the management VLAN, not the data VLAN.

The likely exploitation flow proceeds as follows:

  1. The attacker gains a position on the management VLAN. This could be through a compromised administrator jump box, a mis-deployed VM routed onto the management segment, a second tier operator subnet, or a malicious insider.
  2. The attacker identifies the PowerFlex Manager instance and its exposed API or UI endpoints.
  3. The attacker invokes the unauthenticated critical function directly, without presenting any credentials.
  4. Because the function executes at the privilege level of the manager, the attacker gains the ability to execute code, modify cluster configuration, exfiltrate data, inject scripts, or disrupt storage services across the entire PowerFlex deployment.

The published impact list from Dell confirms this breadth: code execution, denial of service, information disclosure, information tampering, remote execution, script injection, and unauthorized access.

Why "Adjacent Only" Is Less Reassuring Than It Sounds

The AV:A vector is often treated as a significant mitigating factor, but in real PowerFlex deployments, the management VLAN is reachable from multiple trust boundaries. Any operator tier foothold already on the management VLAN qualifies, including a legitimate but compromised administrator jump box or a tenant VM that is mis-routed onto the management segment. For organizations running hyper-converged PowerFlex configurations where SDS and SDC are co-located, the management plane may share physical infrastructure with compute workloads, further reducing the effective barrier to adjacency.

Patch Information

Dell has addressed CVE-2026-35065 through security advisory DSA-2026-066, released on June 15, 2026. The fix is delivered as a software upgrade to the PowerFlex Software bundle, which includes the PowerFlex Manager component where this flaw resides.

The core of this patch adds proper authentication enforcement to the critical function within PowerFlex Manager that was previously accessible to unauthenticated users on the adjacent network.

Dell provides remediated versions across two supported release branches:

  • 5.x branch: Upgrade to Version 5.1.0.1 or later
  • 4.x branch: Upgrade to Version 4.5.5.2 or later

Organizations running any PowerFlex Software version prior to these thresholds on their respective branch are affected and must upgrade. The updated packages are available through the Dell RCM release portal. For manual upgrade paths, Dell directs administrators to the PowerFlex (ScaleIO) Drivers and Downloads page.

This advisory bundles fixes for multiple other proprietary code vulnerabilities resolved in the same upgrade, including:

  • SQL injection flaws: CVE-2026-35069, CVE-2026-35068
  • Improper access control issues: CVE-2026-35066, CVE-2026-35067 (CVSS 5.7), CVE-2026-35162 (CVSS 4.3)
  • Improper authentication bugs: CVE-2026-32804 (CVSS 8.1), CVE-2026-49502 (CVSS 7.4)
  • Broken cryptographic algorithm: CVE-2026-40641
  • Third party component CVEs in Kernel, urllib3, and Keycloak

A single upgrade pass addresses the entire batch. Dell credits the security researcher brocked200 for reporting CVE-2026-35065 along with several of the sibling CVEs.

There is no published configuration workaround, firewall allowlist recipe, or temporary patch in DSA-2026-066. The only Dell prescribed remedy is the software upgrade.

For defense in depth while planning the upgrade, operators should consider these compensating controls drawn from CWE-306 guidance and PowerFlex architecture documentation:

  • Restrict the management plane at the network layer by tightening ACLs so that only administrators on the designated management VLAN, or via a bastion host with MFA, can reach the manager.
  • Enforce SSO or IdP mediated access in front of the PowerFlex Manager UI and API rather than relying solely on local authentication.
  • Monitor for unexpected access patterns including unauthenticated HTTP requests to manager API paths, repeated error responses, and cluster configuration changes without corresponding credentialed audit events.

After upgrade, verify the running PowerFlex Software version is at least 5.1.0.1 or 4.5.5.2 as appropriate, then confirm that authentication is now required at each manager function path and that audit logging captures all invocations.

Affected Systems and Versions

The following PowerFlex Software versions are affected:

  • 5.x branch: All versions prior to 5.1.0.1
  • 4.x branch: All versions prior to 4.5.5.2

The vulnerable component is specifically PowerFlex Manager, the management and orchestration layer within the broader PowerFlex Software bundle. Deployments in both hyper-converged (HCI) configurations, where SDS and SDC are co-located, and two-layer configurations where they are separated, are affected if running vulnerable versions.

Vendor Security History

Dell's PowerFlex product line has a documented history of management plane vulnerabilities. Prior CVEs affecting PowerFlex Manager include:

  • CVE-2025-32750: Directory listing exposure in PowerFlex Manager versions prior to 4.6.3, rated CVSS 7.5
  • CVE-2025-32751: Information disclosure vulnerability in PowerFlex Manager
  • CVE-2025-32746: Information disclosure vulnerability in PowerFlex Manager

Beyond PowerFlex, the broader Dell enterprise appliance ecosystem has seen significant security events in 2026. Most notably, CVE-2026-22769, a hardcoded credential flaw in Dell RecoverPoint for Virtual Machines, was exploited as a zero day by the PRC linked threat cluster UNC6201 since mid 2024. Google's threat intelligence team documented the actor delivering the BRICKSTORM backdoor, GRIMBOLT native backdoors, and the SLAYSTYLE webshell through this vulnerability. CISA added CVE-2026-22769 to the KEV catalog on February 18, 2026.

Dell has issued numerous security advisories across its product families in 2026, including DSA-2026-060 (PowerProtect Data Domain), DSA-2026-136 (PowerEdge OpenSSL), DSA-2026-140 (Dell Networking rsync), DSA-2026-143 (ObjectScale log file), and DSA-2026-193 (Automation Platform). The Canadian Centre for Cyber Security independently republishes Dell advisories (e.g., AV26-138, AV26-203), reflecting the sustained attention from national cybersecurity agencies.

While Dell Technologies publicly launched a 2026 expansion of its security by design and cyber resilience product narrative, the practitioner takeaway remains unchanged: the practical security posture of a Dell enterprise appliance is set by the operator's patch cadence and management plane segmentation, not by vendor marketing.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization