CVE-2026-35155

High

Published: 29 April 2026

Published

29 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35155 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Dell Idrac10 Firmware. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the race condition vulnerability by requiring timely application of Dell's security update for iDRAC10.

IA-5 Authenticator Management good match

prevent

Addresses insufficiently protected credentials by enforcing secure management, storage, and handling of authenticators to prevent exposure via race conditions.

AC-6 Least Privilege partial match

prevent

Mitigates privilege escalation impact by ensuring low-privileged accounts have only minimal necessary access rights within the iDRAC10 interface.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Race condition exposing credentials in authenticated low-priv iDRAC interface directly enables exploitation for privilege escalation to high impacts on C/I/A.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged attacker to gain elevated access.

Deeper analysisAI

CVE-2026-35155 is an Insufficiently Protected Credentials vulnerability (CWE-522) affecting Dell iDRAC10 in versions 1.20.70.50 and 1.30.05.10. The issue stems from a race condition that exposes credentials inadequately, with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). Published on 2026-04-29, it enables privilege escalation within the iDRAC10 management interface.

An authenticated attacker with low privileges can exploit this race condition over the network, though it requires high attack complexity and user interaction. Successful exploitation grants elevated access, resulting in high impacts to confidentiality, integrity, and availability.

Dell's DSA-2026-187 advisory provides a security update for iDRAC10 to address this vulnerability; details are available at https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulnerability.

Details

CWE(s): CWE-522

Affected Products

dell

idrac10 firmware

≤ 1.30.10.50

CVEs Like This One

CVE-2025-36568Same vendor: Dell

CVE-2026-32655Same vendor: Dell

CVE-2026-27102Same vendor: Dell

CVE-2025-21105Same vendor: Dell

CVE-2026-25906Same vendor: Dell

CVE-2026-23857Same vendor: Dell

CVE-2026-24510Same vendor: Dell

CVE-2026-22765Same vendor: Dell

CVE-2026-26949Same vendor: Dell

CVE-2024-48013Same vendor: Dell

References

https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulnerability
Vendor Advisory · security_alert@emc.com