CVE-2025-26330
📋 TL;DR
Dell PowerScale OneFS versions 9.4.0.0 through 9.10.0.1 contain an incorrect authorization vulnerability. An unauthenticated attacker with local access could exploit this to gain cluster access using the privileges of a previously disabled user account. This affects Dell PowerScale storage systems running vulnerable OneFS versions.
💻 Affected Systems
- Dell PowerScale OneFS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains unauthorized administrative access to the PowerScale cluster, potentially compromising all stored data, disrupting operations, or deploying ransomware.
Likely Case
An attacker with local access gains unauthorized user-level access to sensitive files or performs limited unauthorized actions on the cluster.
If Mitigated
With proper network segmentation and access controls, the vulnerability is contained to isolated systems with minimal impact.
🎯 Exploit Status
The vulnerability allows unauthenticated exploitation but requires local access to the PowerScale system. No public exploit code has been disclosed as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OneFS 9.10.0.2 and later
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000300860/dsa-2025-119-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities
Restart Required: Yes
Instructions:
1. Review Dell advisory DSA-2025-119. 2. Download and apply OneFS version 9.10.0.2 or later from Dell Support. 3. Schedule maintenance window for cluster restart. 4. Apply update following Dell's PowerScale upgrade procedures. 5. Verify successful update and cluster functionality.
🔧 Temporary Workarounds
Restrict Local Access
allLimit physical and network access to PowerScale management interfaces to authorized personnel only.
Configure firewall rules to restrict access to PowerScale management IPs
Implement network segmentation for storage infrastructure
Disable Unused Accounts
linuxReview and permanently delete disabled user accounts that could be exploited.
isi auth users list --disabled
isi auth users delete <username>
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PowerScale systems from untrusted networks.
- Enforce multi-factor authentication and privileged access management for all storage administrators.
🔍 How to Verify
Check if Vulnerable:
Check OneFS version with command: isi version. If version is between 9.4.0.0 and 9.10.0.1 inclusive, system is vulnerable.Check Version:
isi versionVerify Fix Applied:
After patching, verify version is 9.10.0.2 or later with: isi version. Test authentication with previously disabled accounts to ensure they cannot be used.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts from local IPs
- Successful logins from previously disabled user accounts
- Access pattern changes for disabled accounts in audit logs
Network Indicators:
- Unexpected authentication traffic to PowerScale management interfaces
- Connection attempts from unauthorized internal systems
SIEM Query:
source="powerscale_audit.log" (event_type="authentication" AND result="success" AND user_status="disabled")