LiveActive security incident?Get immediate response
CVE Record

CVE-2019-3746: Dell EMC Integrated Data Protection Appliance versions prior to 2.3 do not limit the number of authenticati...

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 do not limit the number of authentication attempts to the ACM API. An authenticated remote user may exploit this vulnerability to launch a brute-force authentication attack in order to gain access to the system.

CriticalCVSS 9.8Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

Dell EMC Integrated Data Protection Appliance before version 2.3 did not limit authentication attempts against the ACM API. This can let a remote attacker repeatedly try credentials and potentially gain system access. Because IDPA protects backup and recovery infrastructure, compromise could affect sensitive data and operational resilience.

Executive priority

Treat this as high-priority if Dell EMC IDPA is present. Backup infrastructure compromise can undermine recovery during incidents, and the issue is rated critical. Patch or formally risk-accept affected appliances after validating exposure.

Technical view

CVE-2019-3746 is CWE-307: improper restriction of excessive authentication attempts in the Dell EMC IDPA ACM API. Affected versions are prior to 2.3. The CVSS 3.0 score is 9.8 with network access, low complexity, no user interaction, and high confidentiality, integrity, and availability impact.

Likely exposure

Exposure is limited to Dell EMC Integrated Data Protection Appliance deployments running versions prior to 2.3, especially where the ACM API is reachable by remote users or administrative networks.

Exploitation context

The provided sources do not report known active exploitation, and the CVE is not marked KEV. The source text describes brute-force authentication risk. There is a minor evidence tension: the description says authenticated remote user, while CVSS lists no privileges required.

Researcher notes

Do not assume exploit activity from these sources. Focus validation on product/version inventory, ACM API reachability, and authentication-failure telemetry. Use Dell’s advisory as the authoritative remediation source because the source bundle does not include detailed mitigation mechanics.

Mitigation direction

  • Identify all Dell EMC IDPA appliances and record their exact versions.
  • Upgrade affected IDPA deployments to version 2.3 or later, per Dell guidance.
  • Review Dell DSA-2019-112 for vendor-specific remediation details.
  • Prioritize administrative interfaces that are reachable from broader networks.

Validation and detection

  • Confirm no IDPA appliance remains on a version prior to 2.3.
  • Verify the ACM API is not broadly reachable beyond intended administrators.
  • Review authentication logs for repeated failed ACM API login attempts.
  • Check vulnerability management records for CVE-2019-3746 closure evidence.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-307: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-3746 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.0CriticalCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

9.8Critical
CVSS 3.0 vector shape for CVE-2019-3746Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
DellIntegrated Data Protection Applianceprior to 2.3Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-307 · source CWE mapping

Improper Restriction of Excessive Authentication Attempts

Improper Restriction of Excessive Authentication Attempts represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.