Cyber Resilience

CVE-2025-36589

High

Published: 06 January 2026

Published
06 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0004 11.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36589 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Dell Unisphere For Powermax. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-36589 is an Improper Restriction of XML External Entity Reference vulnerability (CWE-611) affecting Dell Unisphere for PowerMax in versions 9.2.4.x. Published on 2026-01-06, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), indicating high severity due primarily to its confidentiality impact.

A low-privileged attacker with remote network access can exploit this vulnerability with low complexity and no user interaction. Exploitation could enable unauthorized access to data and resources beyond the intended boundaries of control.

Dell security advisory DSA-2025-425 provides details on this and multiple related vulnerabilities across PowerMaxOS, PowerMax EEM, Unisphere for PowerMax, Unisphere for PowerMax Virtual Appliance, Unisphere 360, and Solutions Enabler Virtual Appliance. Mitigation guidance and patches are available at https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities.

EU & UK References

Vulnerability details

Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended…

more

sphere of control.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE (CWE-611) in public-facing Unisphere web app directly enables remote exploitation for unauthorized local file/data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-36588Same product: Dell Unisphere For Powermax
CVE-2026-26358Same product: Dell Unisphere For Powermax
CVE-2026-26360Same product: Dell Unisphere For Powermax
CVE-2026-26362Same product: Dell Unisphere For Powermax
CVE-2026-26359Same product: Dell Unisphere For Powermax
CVE-2026-41066Shared CWE-611
CVE-2025-0162Shared CWE-611
CVE-2024-56324Shared CWE-611
CVE-2026-22266Same vendor: Dell
CVE-2024-54171Shared CWE-611

Affected Assets

dell
unisphere for powermax
9.2.4.18
dell
unisphere for powermax virtual appliance
9.2.4.17 — 9.2.4.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor patches directly addresses and eliminates the specific XXE vulnerability in Dell Unisphere for PowerMax.

prevent

Information input validation enforces proper XML parsing restrictions to prevent external entity expansion and unauthorized data access.

prevent

Secure configuration settings for XML parsers disable external entity processing, mitigating the improper restriction vulnerability.

References