Introduction
Hard coded credentials in enterprise storage infrastructure represent one of the more straightforward paths to complete system compromise, and when that infrastructure is purpose built for exascale AI workloads, the data at risk scales accordingly. CVE-2026-40636 affects Dell Elastic Cloud Storage (ECS) and Dell ObjectScale, two enterprise object storage platforms designed for large scale data collection, generative AI training, and global content delivery, and it carries a CVSS score of 9.8.
Dell ECS and ObjectScale are enterprise object storage solutions featuring exascale architecture and AI optimized storage capabilities. These platforms serve organizations managing massive data lakes and content repositories. Their role in the broader infrastructure ecosystem means a compromise at the storage layer can have cascading effects on data pipelines, model training workflows, and content delivery systems that depend on them.
Technical Information
The vulnerability is classified under CWE-798: Use of Hard Coded Credentials. The affected Dell ECS and ObjectScale software ships with credentials embedded directly in the product, associated with default node users. Because these credentials are static and known, they can be leveraged by an attacker who gains access to the system.
Dell's advisory states that an unauthenticated attacker with local access could exploit this flaw to gain filesystem access. However, the official CVSS vector string published by Dell paints a broader picture:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The Network attack vector (AV:N) suggests that if the management or service interfaces of the storage nodes are exposed to a network, remote exploitation may be possible without requiring strict local physical access. This discrepancy between the textual description ("local access") and the CVSS vector ("Network") is notable and worth careful consideration when assessing exposure in your environment.
The remaining CVSS metrics reinforce the severity: attack complexity is Low (AC:L), no privileges are required (PR:N), no user interaction is needed (UI:N), and all three impact categories (Confidentiality, Integrity, Availability) are rated High. This describes a vulnerability that is straightforward to exploit once an attacker can reach the relevant interface.
Successful exploitation grants the attacker complete filesystem access on the storage node. On an enterprise object storage platform designed for exascale workloads, this means a malicious actor could:
- Read sensitive stored data across the filesystem
- Modify system configurations on the storage node
- Tamper with stored objects
- Disrupt storage availability
The advisory references default node users and their associated credentials, which are documented in the Dell ObjectScale 4.3.0.0 Security Configuration Guide. No public Proof of Concept or detailed exploitation path has been published for this vulnerability.
Affected Systems and Versions
| Product | Affected Versions | Remediated Version |
|---|---|---|
| Dell Elastic Cloud Storage (ECS) | Versions 3.8.1.0 through 3.8.1.7 | Version 4.3.0.0 or later |
| Dell ObjectScale | All versions prior to 4.3.0.0 | Version 4.3.0.0 or later |
Both products require an upgrade to version 4.3.0.0 or later to fully resolve the vulnerability. Customers should open an Operating Environment Upgrade Service Request with Dell and reference DSA-2026-019.
For organizations that cannot immediately upgrade, Dell documents a password change procedure for default node users. This procedure is found under the Default Node Users table in the Dell ObjectScale 4.3.0.0 Security Configuration Guide. Applying this password change on all supported ECS or ObjectScale versions mitigates the vulnerability without requiring an immediate system upgrade.
Given the CVSS vector's Network attack vector, organizations should also review whether management or service interfaces on ECS and ObjectScale nodes are exposed to broader network segments. Restricting network access to these interfaces reduces the attack surface while remediation is in progress.
Vendor Security History
Dell maintains a dedicated Product Security Incident Response Team (PSIRT) that coordinates the response and disclosure of security vulnerabilities across its product portfolio. Third party researchers, including the watchTowr Labs team that reported CVE-2025-36604 (a pre authentication command injection in Dell UnityVSA), have publicly noted Dell PSIRT for their professionalism and responsiveness. The existence of a prior critical vulnerability in another Dell storage product (UnityVSA) is a reminder that storage infrastructure remains an active area of security research and that organizations should stay current on Dell security advisories.
It is also worth noting that an earlier advisory (DSA-2026-047) initially indicated version 4.2.0.0 as the remediated version, but the most current guidance under DSA-2026-019 mandates version 4.3.0.0 or later. Organizations that may have already patched to 4.2.0.0 based on earlier guidance should verify they are on 4.3.0.0 or later.
References
- NVD Entry for CVE-2026-40636
- DSA-2026-019: Security Update for Dell ECS and ObjectScale Multiple Vulnerabilities
- DSA-2026-047: Earlier Security Update for Dell ECS and ObjectScale
- Dell ObjectScale Product Page
- Dell Supply Chain Resilience (PSIRT Information)
- watchTowr Labs: Dell UnityVSA Pre Auth Command Injection (CVE-2025-36604)
- CISA Known Exploited Vulnerabilities Catalog Update (April 2026)



