πŸ—„οΈ Assets

Dell DSA-2026-239: CVE-2026-23856 Privilege Escalation in iDRAC9 Exposes PowerEdge Server Management Plane

Dell has patched a high-severity privilege escalation vulnerability in the iDRAC9 remote management controller affecting PowerEdge servers across multiple generations. CVE-2026-23856, rated CVSS 8.8, allows a low-privileged authenticated attacker to escalate to Administrator rights on the iDRAC management plane β€” granting control over server power, firmware, BIOS settings, and virtual console access outside the scope of the host operating system.

4 min read
#dell#idrac#cve-2026-23856#privilege-escalation#poweredge#server-management#hardware-security#bmc
Article asset-security

Dell has released security advisory DSA-2026-239 patching a high-severity privilege escalation vulnerability in iDRAC9, the out-of-band remote management controller embedded in Dell PowerEdge servers across multiple generations. CVE-2026-23856, assigned CVSS 8.8, allows an attacker with low-privilege authenticated access to the iDRAC interface to escalate their privileges to Administrator level β€” providing full control over the server’s management plane independently of, and undetectable by, the host operating system.

Vulnerability Details

The flaw resides in iDRAC9’s role-based access control implementation. Under specific conditions involving the processing of crafted RACADM command sequences, a user with Operator or ReadOnly level credentials can manipulate session state to obtain Administrator rights. The escalation is achievable through the iDRAC web interface, REST API, and RACADM command-line interface β€” the three standard iDRAC management channels.

Affected iDRAC9 firmware versions:

PowerEdge GenerationAffected FirmwareFixed Firmware
14G (R640, R740, R940, etc.)iDRAC9 < 6.10.30.306.10.30.30
15G (R650, R750, R850, etc.)iDRAC9 < 7.00.60.607.00.60.60
16G (R660, R760, R960, etc.)iDRAC9 < 8.00.00.008.00.00.00

Note: iDRAC8 and iDRAC7 are not affected by this specific vulnerability, though both are past end-of-support and should be considered broadly unpatched against other vulnerabilities.

Why the Management Plane Matters

The iDRAC management controller operates independently of the host server’s operating system on a dedicated ARM processor with its own firmware, network interface (Dedicated Management Port or shared), and credentials database. iDRAC9 Administrator access confers:

  • Server power control β€” hard power off, reset, and restart independent of the OS
  • Virtual console and virtual media β€” keystroke-level access to the server console and the ability to mount ISO images as virtual drives
  • BIOS/UEFI configuration β€” modification of boot order, Secure Boot settings, and all BIOS parameters
  • Firmware update capability β€” including the ability to downgrade firmware to versions containing known vulnerabilities
  • System event log β€” access to, and the ability to clear, hardware event logs that may contain evidence of prior attack activity
  • iDRAC user management β€” creation of additional Administrator accounts, modification of existing credentials

An attacker who escalates to iDRAC9 Administrator using a low-privilege account β€” such as a monitoring service account, a help desk account used for thermal monitoring, or credentials obtained through phishing β€” achieves persistent access to the server that survives OS reinstallation, disk wipe, and conventional incident response procedures. iDRAC firmware implants, while technically complex, have been used by sophisticated threat actors and represent a persistence mechanism that standard EDR and SIEM tooling cannot observe.

Exposure Assessment

iDRAC management interfaces are a persistent gap in enterprise network segmentation. Ideal architecture places iDRAC Dedicated Management Port connections on an isolated management VLAN with no workstation or general server access. In practice:

  • Many deployments use iDRAC shared port mode, placing the management interface on the same network as production traffic
  • Management VLAN ACLs frequently permit broad access from IT staff workstations to simplify remote administration
  • Service accounts used for hardware monitoring (SNMP, IPMI, Redfish) often hold Operator or ReadOnly level iDRAC credentials and are reachable from application servers

Any threat actor with initial access to a corporate network segment that has connectivity to iDRAC interfaces β€” even read-only monitoring access β€” should be considered capable of exploiting this vulnerability until patching is confirmed.

  • Apply iDRAC9 firmware patches immediately β€” Dell’s advisory provides direct firmware download links; update via RACADM, iDRAC web interface, or Dell Repository Manager
  • Audit iDRAC network accessibility β€” confirm the Dedicated Management Port is isolated to a management VLAN and not reachable from general server or workstation networks; test with a port scan from a representative production server
  • Review iDRAC user accounts on all PowerEdge hosts β€” remove any accounts that do not correspond to current authorised users; rotate all iDRAC credentials as a precaution given the privilege escalation risk
  • Disable shared iDRAC port mode where possible β€” use Dedicated Management Port with physical cable only to the management switch
  • Enumerate your PowerEdge fleet by generation β€” Dell’s affected version table maps to generation, not just firmware version; understand which servers require which patch stream
  • Check for unpatched iDRAC8 and iDRAC7 in your estate β€” these generations are EOL but widespread in older data centre equipment; plan for network isolation as a compensating control where firmware updates are no longer available

Share this article