VYPR
← All advisories
High severity7.4NVD Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

CVE-2024-39575

CVE-2024-39575

Description

The update_disk_psu_baseline.sh script in Dell VxRail exposes administrative passwords in plain text, enabling local credential theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The `update_disk_psu_baseline.sh` script in Dell VxRail exposes administrative passwords in plain text, enabling local credential theft.

Vulnerability

The update_disk_psu_baseline.sh script in Dell VxRail requires that an administrative password be provided in plain text, either as a command-line argument or within the script's execution context. This exposes the password to any local user with privileges to view running processes or script contents. The vulnerability affects Dell VxRail versions prior to the security update referenced in [1].

Exploitation

An attacker with local shell access to the VxRail appliance can observe the plain-text password by examining process listings (e.g., ps aux) or the script's invocation arguments. No additional privileges or user interaction beyond local access is required.

Impact

Successful exploitation allows the attacker to capture the administrative password for disk/PSU baseline operations. This credential could then be reused to gain elevated access to other VxRail components or management interfaces, leading to full system compromise.

Mitigation

Dell has released a security update for VxRail 7.0.520 that addresses this vulnerability. Users should apply the update as described in [1]. No workaround is available for unpatched versions.

References
  1. DSA-2024-247: Security Update for Dell VxRail 7.0.520 Multiple Third-Party Component Vulnerabilities

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.