Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-36589

CVE-2025-36589: Dell Unisphere For PowerMax XXE Vulnerability

CVE-2025-36589 is an XML External Entity (XXE) vulnerability in Dell Unisphere For PowerMax that allows low-privileged attackers to access unauthorized data. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-36589 Overview

CVE-2025-36589 is an XML External Entity (XXE) vulnerability affecting Dell Unisphere for PowerMax version 9.2.4.x. The flaw stems from improper restriction of XML external entity references [CWE-611] in the application's XML parser. A low-privileged attacker with remote network access can submit crafted XML payloads to retrieve files and resources outside the intended sphere of control. Dell tracks this issue under security advisory DSA-2025-425. The vulnerability impacts both the standard Unisphere for PowerMax product and the Unisphere for PowerMax Virtual Appliance distribution.

Critical Impact

Authenticated remote attackers can exploit XXE processing to access sensitive storage management data, configuration files, and internal resources reachable from the Unisphere host.

Affected Products

  • Dell Unisphere for PowerMax 9.2.4.18 and other 9.2.4.x releases
  • Dell Unisphere for PowerMax Virtual Appliance
  • Related components covered under DSA-2025-425 (PowerMaxOS, PowerMax eEM, Unisphere 360, Solutions Enabler Virtual Appliance)

Discovery Timeline

  • 2026-01-06 - CVE-2025-36589 published to NVD
  • 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2025-36589

Vulnerability Analysis

Dell Unisphere for PowerMax provides a web-based management interface for PowerMax storage arrays. The application accepts XML input as part of its administrative workflows and API operations. The XML parser processes external entity declarations without adequate restriction, which is the defining condition of an XXE vulnerability.

When the parser encounters a DOCTYPE declaration referencing an external entity, it resolves and includes the referenced content in the parsed document. An attacker who can submit XML to a vulnerable endpoint can therefore force the server to read local files, perform outbound requests, or expose internal data through entity expansion. The attack requires network access and low-level authenticated privileges on the management interface.

The confidentiality impact is rated high because the Unisphere host contains storage configuration data, credentials, and management metadata. Integrity impact is limited, and availability is not directly affected.

Root Cause

The root cause is improper restriction of XML external entity references [CWE-611] in the XML parsing routines used by Unisphere for PowerMax. The parser fails to disable external entity resolution, DTD processing, or external parameter entities before processing untrusted input. Secure XML parser configurations explicitly disable these features to prevent file disclosure and SSRF-style retrieval through XXE.

Attack Vector

The attack vector is network-based and requires low-privileged authenticated access to the Unisphere management interface. An attacker submits a crafted XML document containing an external entity reference pointing to a local file path or an internal URL. When the server parses the document, it dereferences the entity and embeds the retrieved content into the application response or processes it during the request. The attacker observes the leaked data directly or through inferred side channels. No user interaction is required to trigger the parser once the request is submitted.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-36589

Indicators of Compromise

  • Inbound HTTP/HTTPS requests to Unisphere for PowerMax endpoints containing <!DOCTYPE, <!ENTITY, or SYSTEM keywords in XML bodies
  • Unexpected outbound network connections from the Unisphere host to external or unusual internal addresses originating from the XML parsing process
  • Unisphere application logs showing XML parsing errors referencing external entity resolution or file URI schemes
  • Access to local file paths such as /etc/passwd, /etc/shadow, or Unisphere configuration directories from the web application user context

Detection Strategies

  • Inspect web application traffic for XML payloads that contain DOCTYPE declarations or external entity definitions targeting Unisphere management URLs
  • Correlate authentication events for low-privileged Unisphere accounts with subsequent anomalous file or network activity on the host
  • Monitor for new outbound connections from the Unisphere process to attacker-controlled infrastructure that could receive exfiltrated entity data

Monitoring Recommendations

  • Forward Unisphere for PowerMax application and audit logs to a centralized SIEM for retention and correlation
  • Establish a baseline of normal API XML payload structure and alert on deviations such as DOCTYPE or ENTITY tokens
  • Track privileged operations on storage arrays for unauthorized configuration reads following authenticated XML requests

How to Mitigate CVE-2025-36589

Immediate Actions Required

  • Apply the fixed release referenced in Dell security advisory DSA-2025-425 to all Unisphere for PowerMax and Unisphere for PowerMax Virtual Appliance instances
  • Restrict network access to the Unisphere management interface to trusted administrative networks and jump hosts
  • Review and reduce the number of low-privileged accounts with access to the Unisphere management plane
  • Audit recent authentication and API activity for signs of XML payloads containing external entity references

Patch Information

Dell has published security updates under Dell Security Update DSA-2025-425 covering CVE-2025-36589 and additional issues across PowerMaxOS, PowerMax eEM, Unisphere for PowerMax, Unisphere for PowerMax Virtual Appliance, Unisphere 360, and Solutions Enabler Virtual Appliance. Administrators should consult the advisory for the specific fixed versions applicable to their deployment and follow Dell's upgrade procedures.

Workarounds

  • Place the Unisphere management interface behind a network segmentation boundary that only permits access from administrator workstations
  • Enforce strong authentication and the principle of least privilege for all Unisphere accounts, removing unused low-privileged users
  • Use a reverse proxy or web application firewall to inspect and block XML requests containing <!DOCTYPE or <!ENTITY declarations to Unisphere endpoints until patches are applied
bash
# Example WAF rule fragment to block XXE-style payloads to Unisphere
# Adjust to your WAF syntax and Unisphere URL paths
SecRule REQUEST_HEADERS:Content-Type "@rx xml" \
  "chain,deny,status:403,id:1003658,msg:'Block XXE attempt to Unisphere'"
  SecRule REQUEST_BODY "@rx (?i)(<!DOCTYPE|<!ENTITY|SYSTEM\s+\"file:)" "t:none"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne