CVE-2025-36589
Published: 06 January 2026
Summary
CVE-2025-36589 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Dell Unisphere For Powermax. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-36589 is an Improper Restriction of XML External Entity Reference vulnerability (CWE-611) affecting Dell Unisphere for PowerMax in versions 9.2.4.x. Published on 2026-01-06, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), indicating high severity due primarily to its confidentiality impact.
A low-privileged attacker with remote network access can exploit this vulnerability with low complexity and no user interaction. Exploitation could enable unauthorized access to data and resources beyond the intended boundaries of control.
Dell security advisory DSA-2025-425 provides details on this and multiple related vulnerabilities across PowerMaxOS, PowerMax EEM, Unisphere for PowerMax, Unisphere for PowerMax Virtual Appliance, Unisphere 360, and Solutions Enabler Virtual Appliance. Mitigation guidance and patches are available at https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1003
Vulnerability details
Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended…
more
sphere of control.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE (CWE-611) in public-facing Unisphere web app directly enables remote exploitation for unauthorized local file/data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through vendor patches directly addresses and eliminates the specific XXE vulnerability in Dell Unisphere for PowerMax.
Information input validation enforces proper XML parsing restrictions to prevent external entity expansion and unauthorized data access.
Secure configuration settings for XML parsers disable external entity processing, mitigating the improper restriction vulnerability.