VYPR
advisoryPublished Jun 17, 2026· Updated Jun 19, 2026· 1 source

Dell PowerFlex Manager: 11 CVEs Disclosed in Single-Day Advisory Batch

Key findings • 11 CVEs disclosed for Dell PowerFlex Manager on June 17, 2026 • CVE-2026-35065 is a missing-authentication bug that can lead to code execution • CVE-2024-47477 enables man-…

Key findings

  • 11 CVEs disclosed for Dell PowerFlex Manager on June 17, 2026
  • CVE-2026-35065 is a missing-authentication bug that can lead to code execution
  • CVE-2024-47477 enables man-in-the-middle attacks via improper certificate validation
  • Two SQL injection flaws (CVE-2026-35069, CVE-2026-35068) affect adjacent network attackers
  • Three improper access control CVEs include privilege escalation and denial of service
  • Patch versions vary by CVE; no single cumulative fix covers all 11 flaws

Dell published 11 security advisories for **PowerFlex Manager** on June 17, 2026, covering vulnerabilities that span SQL injection, improper access control, missing authentication, weak cryptography, and certificate validation flaws. The batch affects versions from before 4.5.1.1 up to 4.8, and several of the bugs can be chained by an attacker with only low or no privileges, making this a significant disclosure for organizations running Dell's infrastructure management platform.

SQL Injection Flaws

Two CVEs address SQL injection in PowerFlex Manager. CVE-2026-35069 allows a low-privileged attacker with adjacent network access to inject SQL commands, potentially leading to script injection. CVE-2026-35068 is a separate SQLi bug in the same attack surface that could result in information disclosure. Both require adjacent network access, meaning the attacker must already be on the same network segment as the management interface.

Access Control Weaknesses

Three CVEs fall under improper access control. CVE-2026-35066 and CVE-2026-35162 both enable a low-privileged remote attacker to cause a denial of service. CVE-2026-35067 is more severe — a low-privileged attacker with adjacent access can achieve elevation of privileges and unauthorized access to sensitive functions.

Missing Authentication and Improper Authentication

CVE-2026-35065 is a critical missing-authentication-for-critical-function vulnerability. An unauthenticated attacker with adjacent network access could exploit it to achieve code execution, denial of service, information disclosure, or information tampering. Two additional improper-authentication bugs, CVE-2026-32804 and CVE-2026-49502, also require no authentication and adjacent access, leading to unauthorized access and information disclosure or tampering.

Untrusted Control Sphere and Cryptographic Weaknesses

CVE-2026-22283 affects PowerFlex Manager versions prior to 4.8 and involves inclusion of functionality from an untrusted control sphere. An unauthenticated remote attacker could exploit this to disclose information. CVE-2026-40641 targets version 4.6.0.1 specifically, using a broken or risky cryptographic algorithm that could lead to information disclosure and tampering by a remote unauthenticated attacker.

Certificate Validation Issue

CVE-2024-47477 is an older CVE (originally assigned in 2024) that Dell disclosed as part of this batch. It affects versions prior to 4.5.1.1 and involves improper certificate validation. A remote unauthenticated attacker could exploit this to mount a man-in-the-middle attack in tandem with DNS cache poisoning.

Patch Status and Mitigations

Dell has not yet released a single cumulative patch version that addresses all 11 CVEs. The affected version ranges vary: CVE-2026-22283 is fixed in version 4.8, CVE-2024-47477 requires upgrading to 4.5.1.1 or later, and CVE-2026-40641 is specific to 4.6.0.1. For the remaining CVEs, Dell has not specified fixed versions in the advisories. Organizations should review the Dell PowerFlex Manager Security Advisories for their specific version and apply the recommended updates or mitigations. Until patches are available, network segmentation and strict access controls to the PowerFlex Manager management interface are advised, particularly given that many of the bugs require only adjacent network access.

Bottom Line

This batch of 11 CVEs reveals a broad attack surface in Dell PowerFlex Manager, with weaknesses spanning authentication, access control, input validation, and cryptography. The presence of a missing-authentication bug that can lead to code execution (CVE-2026-35065) and a certificate-validation flaw enabling MITM attacks (CVE-2024-47477) should prompt administrators to prioritize patching. Dell's staggered fix versions mean that organizations may need to plan multiple upgrade steps to fully close all gaps.

Synthesized by Vypr AI