PatchSiren cyber security CVE debrief
CVE-2015-4057 Dell CVE debrief
CVE-2015-4057 is an information-disclosure issue in the Plug-in for VMware vCenter in Dell VCE Vision Intelligent Operations before 2.6.5. When a user requests the Settings screen, the product sends a cleartext HTTP response, which can allow a network observer to recover the admin user password. NVD rates the issue HIGH with a 7.5 CVSS score, reflecting unauthenticated network exposure and confidentiality impact only.
- Vendor
- Dell
- Product
- CVE-2015-4057
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-21
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-21
- Advisory updated
- 2026-05-13
Who should care
Administrators, security teams, and operators running Dell VCE Vision Intelligent Operations with the VMware vCenter plug-in, especially where management traffic can be observed on the network.
Technical summary
The supplied NVD metadata identifies the vulnerable CPE as Dell VCE Vision Intelligent Operations through version 2.6.4. The weakness is classified as CWE-200. The issue occurs when the Settings screen is requested and the response is delivered in cleartext over HTTP, creating an opportunity for passive interception of the admin password. The CVSS 3.1 vector in the supplied source is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which matches a remote, no-authentication, confidentiality-only exposure.
Defensive priority
High. This is a remotely reachable credential-exposure flaw with no privileges or user interaction required, so any deployment on an observable network should be treated as urgent to assess and remediate.
Recommended defensive actions
- Upgrade Dell VCE Vision Intelligent Operations / the VMware vCenter plug-in to version 2.6.5 or later.
- Treat management-network traffic as sensitive until the vulnerable version is removed or upgraded.
- Restrict access to the management plane so only trusted administrators and hosts can reach the plug-in.
- If the affected admin password may have been exposed, rotate it and review related access activity.
- Verify whether any installation is still running a version through 2.6.4 and prioritize remediation accordingly.
Evidence notes
The supplied NVD record and source item state that versions through 2.6.4 are vulnerable and that the issue is a cleartext HTTP response when the Settings screen is requested. NVD also supplies the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-200. The referenced Bugtraq mailing list advisory (http://seclists.org/bugtraq/2015/Jun/91) supports the password-sniffing description. In the supplied metadata, the CVE record was published on 2017-02-21 and last modified on 2026-05-13.
Official resources
-
CVE-2015-4057 CVE record
CVE.org
-
CVE-2015-4057 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
The source corpus points to a public Bugtraq mailing list advisory referenced by NVD, and the CVE record itself was published on 2017-02-21. The supplied materials do not provide a more specific initial disclosure timestamp.