Dell PowerScale OneFS, a clustered storage operating system widely used in enterprise environments for scalable file storage, contains an incorrect authorization vulnerability identified as CVE-2025-26330. This vulnerability affects versions 9.4.0.0 through 9.10.0.1. The issue stems from improper authorization checks that allow an unauthenticated attacker with local access to the system to gain access to the cluster using the privileges of a previously disabled user account. Essentially, the system fails to properly revoke or restrict access rights associated with disabled accounts, enabling privilege escalation. The vulnerability is categorized under CWE-863 (Incorrect Authorization), indicating that the system does not correctly enforce access control policies. The CVSS v3.1 base score is 7.0, reflecting high severity due to the potential for complete compromise of confidentiality, integrity, and availability (C, I, A all rated high). The attack vector is local (AV:L), attack complexity is high (AC:H), no privileges are required (PR:N), but user interaction is required (UI:R). The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability poses a significant risk if exploited. The flaw could allow attackers to bypass account disablement mechanisms and regain access with elevated privileges, potentially leading to unauthorized data access, data manipulation, or disruption of storage services.

The vulnerability could have severe consequences for organizations relying on Dell PowerScale OneFS clusters. Exploitation can lead to unauthorized access to sensitive data stored within the cluster, data integrity violations through unauthorized modifications, and potential denial of service by disrupting cluster availability. Since the attacker can leverage privileges of disabled accounts, this undermines standard account lifecycle security controls and complicates incident response and forensic investigations. Organizations with large-scale storage deployments may face significant operational disruptions and data breaches. The requirement for local access limits remote exploitation but insider threats or attackers who gain initial footholds on systems hosting OneFS could escalate privileges and move laterally within the environment. The high attack complexity and need for user interaction reduce the likelihood of widespread automated exploitation but do not eliminate targeted attacks. The absence of known exploits in the wild provides a window for proactive mitigation before active exploitation occurs.

Organizations should implement strict local access controls to limit who can physically or logically access systems running PowerScale OneFS. Employing multi-factor authentication and robust account management policies, including timely disabling and auditing of user accounts, is critical. Monitoring and logging local access attempts and privilege escalations can help detect exploitation attempts early. Until official patches are released by Dell, consider isolating affected systems from untrusted users and networks, and restrict administrative access to trusted personnel only. Regularly review and update user account statuses to ensure disabled accounts are fully revoked and cannot be reused. Engage with Dell support for updates on patches or workarounds. Additionally, conduct security awareness training to reduce the risk of social engineering or user interaction that could facilitate exploitation. Implementing endpoint protection and host-based intrusion detection systems on nodes running OneFS can provide additional layers of defense.