CVE-2025-36579 Overview
CVE-2025-36579 is a weak password recovery mechanism vulnerability in Dell Client Platform BIOS. The flaw allows an unauthenticated attacker with physical access to the system to bypass password protections and gain unauthorized access. The weakness is categorized under [CWE-640] (Weak Password Recovery Mechanism for Forgotten Password), indicating that the BIOS recovery workflow can be abused to circumvent authentication. Dell published advisory DSA-2025-153 to address this issue.
Critical Impact
An attacker with physical access can exploit the BIOS password recovery mechanism to obtain unauthorized access to the affected system and its protected configuration.
Affected Products
- Dell Client Platform BIOS (specific models listed in DSA-2025-153)
- Dell client systems shipping the affected BIOS firmware
- See Dell Security Advisory DSA-2025-153 for the full list of impacted platforms and firmware versions
Discovery Timeline
- 2026-04-16 - CVE-2025-36579 published to NVD
- 2026-04-17 - Last updated in NVD database
Technical Details for CVE-2025-36579
Vulnerability Analysis
The vulnerability resides in the password recovery workflow implemented within Dell Client Platform BIOS. BIOS firmware typically protects setup configuration, boot order, and storage controls with a supervisor or system password. When that password is lost, vendors expose a recovery path that should require strong proof of ownership, such as cryptographically bound service tags or signed vendor responses. In this case, the recovery mechanism is weak enough that an attacker with hands-on access can complete the recovery flow without legitimate authorization. The result is unauthorized access to BIOS configuration and, by extension, the boot chain of the device.
Root Cause
The root cause is an insufficiently strong password recovery design in the BIOS [CWE-640]. The recovery process does not enforce adequate identity verification or unpredictability in its challenge-response logic. Predictable recovery codes, weak key derivation, or insufficient binding to per-device secrets enable bypass of the intended password gate.
Attack Vector
Exploitation requires physical access to the target device. The attacker boots the system, triggers the BIOS password prompt, and follows the recovery workflow to derive or submit a recovery value that the firmware accepts. No prior credentials and no user interaction beyond the attacker's own actions are needed. Once BIOS access is obtained, the attacker can alter Secure Boot settings, change boot order to attached media, or disable storage protections, expanding the impact beyond the BIOS itself.
No public proof-of-concept is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See Dell Security Advisory DSA-2025-153 for vendor-supplied technical details.
Detection Methods for CVE-2025-36579
Indicators of Compromise
- Unexpected changes to BIOS settings such as Secure Boot state, boot order, or storage controller mode
- BIOS administrator or system password no longer recognized by authorized administrators
- Physical tampering indicators on chassis, intrusion switch events, or unexplained device reboots into BIOS setup
- New or unknown boot entries pointing to removable media or network sources
Detection Strategies
- Collect BIOS configuration baselines from managed endpoints and alert on drift, including Secure Boot, boot order, and password presence
- Monitor operating system event logs for chassis intrusion, unexpected power cycles, and boot-from-removable-media events
- Correlate physical access records, such as badge logs or asset checkout systems, with endpoint reboot and BIOS change telemetry
Monitoring Recommendations
- Enroll affected Dell systems in firmware management tooling that reports BIOS version and configuration state to a central console
- Forward endpoint and firmware telemetry into a centralized data lake or SIEM for longitudinal analysis of configuration drift
- Track Dell advisory DSA-2025-153 for updated firmware revisions and confirm deployment status across the fleet
How to Mitigate CVE-2025-36579
Immediate Actions Required
- Inventory all Dell client systems and identify those listed as affected in DSA-2025-153
- Apply the BIOS update provided by Dell as soon as it is validated for the target hardware
- Enforce a strong BIOS administrator password on every endpoint and store recovery information in a controlled secrets vault
- Restrict physical access to endpoints, particularly devices used outside controlled office environments
Patch Information
Dell has issued firmware updates through advisory Dell Security Advisory DSA-2025-153. Administrators should download the platform-specific BIOS package, verify the version against Dell's fixed-version table, and deploy using standard firmware update tooling. Reboot is required to complete installation.
Workarounds
- Enable chassis intrusion detection and Secure Boot to raise the cost of physical tampering
- Use full-disk encryption tied to TPM and pre-boot authentication so that BIOS bypass does not yield access to data at rest
- Disable boot from USB and network on systems that do not require it, and lock these settings behind the BIOS password
- Apply tamper-evident seals on high-risk devices such as laptops used by traveling staff
# Configuration example: verify BIOS version on Windows after patching
wmic bios get smbiosbiosversion
# Linux equivalent
sudo dmidecode -s bios-version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

