Dell PowerScale OneFS version 9.13.0.0 contains a vulnerability identified as CVE-2026-25907, categorized under CWE-645 (Overly Restrictive Account Lockout Mechanism). The flaw arises from the product's account lockout policy being excessively sensitive, such that an unauthenticated remote attacker can trigger lockouts on user accounts without needing valid credentials or user interaction. This results in denial of service by locking out legitimate users from accessing the system. The vulnerability affects availability exclusively, with no direct impact on confidentiality or integrity. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with low complexity, no privileges required, and no user interaction needed. The scope remains unchanged as the vulnerability affects only the vulnerable component. No known exploits have been reported in the wild, and no official patches or mitigations have been released at the time of publication. The issue is significant for environments relying on PowerScale OneFS for critical storage infrastructure, as disruption of access can impact business operations and data availability. The vulnerability highlights the risk of overly aggressive lockout policies that can be weaponized by attackers to cause service interruptions remotely.

The primary impact of CVE-2026-25907 is denial of service, where attackers can remotely lock out user accounts, preventing legitimate access to Dell PowerScale OneFS systems. This can disrupt enterprise storage operations, affecting data availability and potentially halting business-critical processes dependent on the storage cluster. Since the vulnerability does not compromise confidentiality or integrity, data theft or manipulation is not a direct concern. However, the availability impact can lead to operational downtime, increased support costs, and potential cascading effects on dependent applications and services. Organizations with large-scale deployments or those using OneFS in high-availability environments may experience significant operational disruption. The ease of exploitation (no authentication or user interaction required) increases the risk of automated or widespread attacks, especially in environments exposed to untrusted networks.

Until an official patch is released, organizations should implement specific mitigations to reduce risk. These include restricting remote access to the OneFS management interfaces and authentication services using network segmentation, firewalls, or VPNs to limit exposure to trusted networks only. Monitoring account lockout events and implementing alerting can help detect potential exploitation attempts early. Administrators should review and adjust account lockout policies to balance security and availability, possibly increasing thresholds or lockout durations temporarily. Employing multi-factor authentication (MFA) where supported can reduce the impact of account lockouts on critical users. Additionally, maintaining up-to-date backups and having incident response plans for DoS scenarios will aid in recovery. Organizations should track Dell security advisories closely for patches or updates addressing this vulnerability and apply them promptly once available.