Cyber Resilience

CVE-2026-35155

High

Published: 29 April 2026

Published
29 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 3.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35155 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Dell Idrac10 Firmware. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35155 is an Insufficiently Protected Credentials vulnerability (CWE-522) affecting Dell iDRAC10 in versions 1.20.70.50 and 1.30.05.10. The issue stems from a race condition that exposes credentials inadequately, with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). Published on 2026-04-29, it enables privilege escalation within the iDRAC10 management interface.

An authenticated attacker with low privileges can exploit this race condition over the network, though it requires high attack complexity and user interaction. Successful exploitation grants elevated access, resulting in high impacts to confidentiality, integrity, and availability.

Dell's DSA-2026-187 advisory provides a security update for iDRAC10 to address this vulnerability; details are available at https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulnerability.

EU & UK References

Vulnerability details

Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged attacker to gain elevated access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Race condition exposing credentials in authenticated low-priv iDRAC interface directly enables exploitation for privilege escalation to high impacts on C/I/A.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-36568Same vendor: Dell
CVE-2025-21105Same vendor: Dell
CVE-2025-27688Same vendor: Dell
CVE-2026-27102Same vendor: Dell
CVE-2024-48013Same vendor: Dell
CVE-2026-23862Same vendor: Dell
CVE-2024-53295Same vendor: Dell
CVE-2026-24510Same vendor: Dell
CVE-2026-25906Same vendor: Dell
CVE-2026-21418Same vendor: Dell

Affected Assets

dell
idrac10 firmware
≤ 1.30.10.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the race condition vulnerability by requiring timely application of Dell's security update for iDRAC10.

prevent

Addresses insufficiently protected credentials by enforcing secure management, storage, and handling of authenticators to prevent exposure via race conditions.

prevent

Mitigates privilege escalation impact by ensuring low-privileged accounts have only minimal necessary access rights within the iDRAC10 interface.

References