CVE-2026-28265

Medium

Published: 01 April 2026

Published

01 April 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0002 3.5th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28265 is a medium-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Dell Powerstoreos. Its CVSS base score is 4.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Stored Data Manipulation (T1565.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents path traversal exploitation by validating and sanitizing file path inputs to the Service user component.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to block low-privileged Service user from modifying arbitrary system files.

AC-6 Least Privilege partial match

prevent

Limits damage from exploitation by restricting Service user privileges to only necessary system resources and files.

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Path traversal enables direct modification of arbitrary system files, mapping to stored data manipulation for integrity/availability impact without RCE or further priv esc.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

PowerStore, contains a Path Traversal vulnerability in the Service user. A low privileged attacker with local access could potentially exploit this vulnerability, leading to modification of arbitrary system files.

Deeper analysisAI

CVE-2026-28265 is a Path Traversal vulnerability (CWE-22 and CWE-35) in the Service user component of Dell PowerStore. Published on 2026-04-01, it carries a CVSS v3.1 base score of 4.4 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L), indicating a medium severity issue with low complexity and privileges required but no confidentiality impact.

A low-privileged attacker with local access to PowerStore can exploit this vulnerability to modify arbitrary system files. Successful exploitation could compromise system integrity and availability, though it requires physical or local network proximity and does not enable remote code execution or privilege escalation beyond the attacker's initial access level.

Dell's security advisory DSA-2026-157 details a security update for PowerStore addressing this and multiple other vulnerabilities. Practitioners should consult the advisory at https://www.dell.com/support/kbdoc/en-us/000444169/dsa-2026-157-dell-powerstore-t-security-update-for-multiple-vulnerabilities for patch deployment instructions and affected versions.

Details

CWE(s): CWE-35 CWE-22

Affected Products

dell

powerstoreos

≤ 4.4.0.0-2692403

CVEs Like This One

CVE-2026-27101Same vendor: Dell

CVE-2024-51534Same vendor: Dell

CVE-2026-26362Same vendor: Dell

CVE-2026-26359Same vendor: Dell

CVE-2026-25907Same vendor: Dell

CVE-2025-36604Same vendor: Dell

CVE-2025-25371Shared CWE-22

CVE-2026-22277Same vendor: Dell

CVE-2026-22266Same vendor: Dell

CVE-2026-22767Same vendor: Dell

References

https://www.dell.com/support/kbdoc/en-us/000444169/dsa-2026-157-dell-powerstore-t-security-update-for-multiple-vulnerabilities
Vendor Advisory · security_alert@emc.com