Executive Summary
A high-severity vulnerability (CVE-2026-40711, CVSS score of 8) exists in Dell Container Storage Modules, allowing a high-privileged attacker with remote access to potentially exploit the vulnerability, leading to command execution. Affected versions include csi-powerstore v2.16.0, csi-unity v2.16.0, csi-powerflex v2.16.0, and csi-powermax v2.16.0.
Technical Analysis
The vulnerability is classified as an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. The attack vector involves a high-privileged attacker with remote access who could potentially exploit this vulnerability, leading to command execution. The root cause is the lack of proper input validation and sanitization of special elements used in OS commands.
How It Gets Exploited
An attacker with high privileges and remote access could send a crafted request to the vulnerable endpoint, injecting malicious OS commands. For example, an attacker might inject a malicious command as part of a parameter value, which would then be executed by the system without proper validation. This could lead to arbitrary command execution, allowing the attacker to gain further access to the system.
Impact Assessment
The affected products include Dell Container Storage Modules versions csi-powerstore v2.16.0, csi-unity v2.16.0, csi-powerflex v2.16.0, and csi-powermax v2.16.0. An attacker could achieve command execution, leading to potential confidentiality, integrity, and availability impacts. The CVSS score of 8 indicates a high severity level.
Recommended Actions
To mitigate this vulnerability, users should update Dell Container Storage Modules to version 2.15.2 or later, or 2.17.0 or later. Additionally, users should:
- Restrict remote access to high-privileged accounts.
- Implement proper input validation and sanitization for OS commands.
- Monitor for suspicious activity and implement logging and auditing mechanisms.
Sources
- National Vulnerability Database (NVD)
- Dell Support