VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 13, 2018· Updated Sep 17, 2024

iDRAC7/iDRAC8/iDRAC9 - Privilege Escalation Vulnerability

CVE-2018-15774

Description

Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated operator in Dell EMC iDRAC7/8/9 can bypass a permission check in the Redfish API and escalate to administrator.

Vulnerability

Dell EMC iDRAC7 and iDRAC8 firmware versions prior to 2.61.60.60, and iDRAC9 firmware versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability [1]. The flaw resides in a permissions check within the Redfish interface, where an authenticated user with operator privileges is incorrectly allowed to perform actions that should require administrator access [1].

Exploitation

An attacker must already have valid iDRAC credentials with operator-level privileges and be able to reach the Redfish API over the network. No additional user interaction is required. By sending crafted HTTP requests to the Redfish endpoint, the attacker can trigger the flawed permission check and execute operations reserved for the administrator role [1].

Impact

Successful exploitation grants the attacker complete administrative control over the iDRAC. This allows full management of the host system, including power operations, virtual media mounting, firmware updates, and configuration changes. The compromise of iDRAC can lead to further compromise of the underlying server [1].

Mitigation

Dell EMC has released fixed firmware versions: iDRAC7/8 version 2.61.60.60 and iDRAC9 versions 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 [1]. Administrators should upgrade to these versions or later as soon as possible. No workarounds are documented [1].

References
  1. PowerEdge: Dell EMC iDRAC Multiple Vulnerabilities (CVE-2018-15774 and CVE-2018-15776)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Dell/iDRAC9llm-fuzzy
    Range: < 3.20.21.20 / < 3.21.24.22 / < 3.21.26.22 / < 3.23.23.23
  • Dell/Idrac7llm-fuzzy2 versions
    < 2.61.60.60+ 1 more
    • (no CPE)range: < 2.61.60.60
    • (no CPE)range: iDRAC7
  • Dell/iDRAC8llm-fuzzy
    Range: < 2.61.60.60

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.