Dell Discloses 13 CVEs Across PowerFlex, ECS, VxRail, and More
Dell published 13 security advisories in a four-day window, with the bulk of the flaws — eight medium-severity bugs — concentrated in PowerFlex Manager versions up to 4.6.2.
Dell released 13 security advisories between May 18 and May 22, 2026, covering vulnerabilities across PowerFlex Manager, ECS, Unisphere for PowerMax, VxRail, SmartFabric Storage Software, and Live Optics collectors. The largest cluster — eight CVEs — targets Dell PowerFlex Manager versions up to 4.6.2, spanning bug classes from directory listing exposure to open redirect and insecure credential storage.
PowerFlex Manager accounts for the heaviest concentration. Seven of the eight PowerFlex CVEs carry Medium severity, with one rated High. The most severe is CVE-2025-32750 (CVSS 7.5, High), an information exposure through directory listing that an unauthenticated remote attacker can exploit. A sibling directory-listing bug, CVE-2025-32749 (CVSS 5.3), shares the same attack vector and affected version range. Both allow an unauthenticated remote attacker to enumerate file structures and potentially extract sensitive data.
Privilege and credential weaknesses also feature prominently in the PowerFlex batch. CVE-2025-32747 (CVSS 5.3) is an incorrect privilege assignment vulnerability that lets a low-privileged local attacker escalate privileges. Two insecure storage of sensitive information flaws — CVE-2025-32751 (CVSS 5.5) and CVE-2025-32746 (CVSS 4.0) — expose stored secrets to local attackers, with the latter exploitable by an unauthenticated local user. CVE-2025-32745 (CVSS 4.2) involves improper certificate validation exploitable from an adjacent network, while CVE-2025-26483 (CVSS 6.1) is an open redirect vulnerability that could be weaponized for phishing campaigns. Rounding out the PowerFlex set is CVE-2025-46371 (CVSS 3.6, Low), a use of a broken or risky cryptographic algorithm in SSH that a low-privileged local attacker could leverage for protection mechanism bypass.
Beyond PowerFlex, the remaining five CVEs span four other Dell products. CVE-2022-34363 (CVSS 6.5, Medium) affects Dell Unisphere for PowerMax vApp versions prior to 10.0.0.2, carrying an authorization bypass flaw in the Unisphere for VMAX application running in vApp. CVE-2022-31231 (CVSS 5.9, Medium) targets Dell ECS versions 3.5 and 3.6, where an improper access control in the Identity and Access Management (IAM) module could let a remote unauthenticated attacker gain read access to unauthorized data.
CVE-2021-21508 (CVSS 6.7, Medium) is a plain-text password storage vulnerability in Dell VxRail Manager affecting versions before 7.0.200. A sys-admin user could exploit it to disclose certain user credentials, potentially using the exposed credentials to access the vulnerable application with elevated privileges.
CVE-2026-35070 (CVSS 6.4, Medium) affects Dell SmartFabric Storage Software versions prior to 1.4.5, carrying a command injection vulnerability that a high-privileged local attacker could exploit to gain filesystem access. Finally, CVE-2026-41119 (CVSS 6.8, Medium) impacts Dell Live Optics Windows and Personal Edition collectors with an improper certificate validation vulnerability that a remote unauthenticated attacker could exploit, leading to loss of confidentiality and integrity.
Patch status varies by product. Dell has addressed the PowerFlex Manager vulnerabilities in a release beyond version 4.6.2 — users should consult Dell's security advisory for the specific fixed build. For SmartFabric Storage Software, the fix is in version 1.4.5 and later. Unisphere for PowerMax vApp is patched in version 10.0.0.2. VxRail Manager is fixed in version 7.0.200 and later. Dell ECS users running versions 3.5 or 3.6 should apply the latest IAM module updates. For Live Optics collectors, Dell recommends upgrading to the latest collector version that addresses the certificate validation issue.
This batch underscores the breadth of Dell's enterprise storage and management ecosystem and the corresponding attack surface. While none of the 13 CVEs carry a Critical severity, the concentration of medium-severity flaws in PowerFlex Manager — particularly the directory listing and privilege escalation bugs — warrants prompt patching for organizations running that platform. The inclusion of older CVEs (dating back to 2021 and 2022) in this disclosure window suggests Dell is working through a backlog of coordinated disclosures, making it important for security teams to verify they have applied all relevant patches rather than focusing only on the most recent CVEs.