Dell PowerScale OneFS: Default password enables account takeover
The NAS operating system PowerScale OneFS from Dell is vulnerable. The developers have closed several gaps in current versions.
(Image: Artur Szczybylo/Shutterstock.com)
Attackers can use a total of six vulnerabilities to attack network-attached storage (NAS) with Dell's PowerScale OneFS operating system. In the worst case, attackers can gain full control over devices.
Far-reaching access possible
In a post, the developers list the vulnerabilities and provide further information on the threatened and secured versions. One vulnerability is considered “critical” (CVE-2025-27690). Due to a default password, attackers with remote access can take over an account with high user rights without authentication. Due to the severity rating of the vulnerability, it can be assumed that they can then fully compromise devices.
Furthermore, due to an error (CVE-2025-26330 “high”), unauthorized access by a local attacker without logging in is possible. This is because rights remain in place if an account is deactivated.
The remaining vulnerabilities are classified as “medium” and “low”. Attackers can use these vulnerabilities for DoS attacks, among other things.
Videos by heise
Protect systems
It is not clear from Dell's warning message whether attacks are already underway. It also remains unclear which parameters attackers can use to identify NAS systems that have already been attacked. The developers state that they have closed the gaps in the following versions of PowerScale OneFS.
- 9.4.0.21
- 9.5.1.3
- 9.7.1.5
- 9.7.1.7
- 9.8.0.4
- 9.9.0.2
- 9.10.1.1
If admins are unable to install the security updates immediately, there is the option of at least securing systems against attacks on the critical vulnerability via workarounds. The developers explain how this works in the warning message.
(des)
