Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to possibly exposed credentials for accessing the product’s management interface. The password may be known outside Pure Storage and could be used on an affected system, if reachable, to execute arbitrary instructions with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
Conclusion & alert: CVE-2022-32554 is rated Moderate Risk (61.5/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.18%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-19 | 1.06% | 1.18% | +0.12% |
| 2 | 2026-06-15 | 0.47% | 1.06% | +0.59% |
| 3 | 2025-07-06 | — | 0.47% | — |
Full EPSS history (11 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 10.0 | 2.0 | HIGH |
|
10.0 | 10.0 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| purestorage | purity\/\/fa | < 5.3.18 | cpe:2.3:a:purestorage:purity\/\/fa:*:*:*:*:*:*:*:* |
| purestorage | purity\/\/fa | >= 6.0.0, < 6.0.9 | cpe:2.3:a:purestorage:purity\/\/fa:*:*:*:*:*:*:*:* |
| purestorage | purity\/\/fa | >= 6.1.0, < 6.1.13 | cpe:2.3:a:purestorage:purity\/\/fa:*:*:*:*:*:*:*:* |
| purestorage | purity\/\/fa | >= 6.2.0, < 6.2.4 | cpe:2.3:a:purestorage:purity\/\/fa:*:*:*:*:*:*:*:* |
| purestorage | purity\/\/fb | < 3.1.13 | cpe:2.3:a:purestorage:purity\/\/fb:*:*:*:*:*:*:*:* |
| purestorage | purity\/\/fb | >= 3.2.0, < 3.2.5 | cpe:2.3:a:purestorage:purity\/\/fb:*:*:*:*:*:*:*:* |
| purestorage | purity\/\/fb | >= 3.3.0, < 3.3.1 | cpe:2.3:a:purestorage:purity\/\/fb:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://support.purestorage.com/Pure_Security/Security_Bundle_2022-04-04/Security_Advisory_for_%E2%80%9Csecurity-bundle-2022-04-04 | Mitigation Vendor Advisory |