CVE-2025-36593 Overview
CVE-2025-36593 affects Dell OpenManage Network Integration (OMNI) versions prior to 3.8. The vulnerability is an Authentication Bypass by Capture-replay flaw [CWE-294] in the RADIUS protocol implementation. An attacker with adjacent network access can forge a valid protocol accept message in response to a failed authentication request. This issue is related to the Blast-RADIUS class of attacks against the RADIUS protocol.
The vulnerability carries a CVSS 3.1 score of 8.8 and affects confidentiality, integrity, and availability. Dell published advisory DSA-2025-257 to address the issue.
Critical Impact
An attacker positioned on an adjacent network can bypass RADIUS authentication and gain administrative access to network infrastructure managed by Dell OMNI.
Affected Products
- Dell OpenManage Network Integration (OMNI) versions prior to 3.8
- Deployments using RADIUS for administrative authentication
- Network fabrics managed through vulnerable OMNI instances
Discovery Timeline
- 2025-06-30 - CVE-2025-36593 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-36593
Vulnerability Analysis
The vulnerability resides in how Dell OMNI processes RADIUS authentication responses. RADIUS uses MD5-based Response Authenticators to bind a server response to a client request. When the integrity check is implemented incorrectly or relies on collision-prone MD5 constructions, an on-path attacker can manipulate authentication exchanges.
In this case, an attacker capturing an authentication request can craft a forged Access-Accept message that appears valid to OMNI even when the underlying credential check failed. Successful exploitation allows the attacker to authenticate as a legitimate user, including administrators, on the OMNI management plane.
The attack vector is Adjacent Network, meaning the attacker must reach the RADIUS traffic path. This is typical of attackers with a foothold inside the management VLAN or with access to networking equipment between the OMNI client and the RADIUS server.
Root Cause
The root cause is improper validation of RADIUS Response Authenticator values, consistent with the Blast-RADIUS protocol weakness. The protocol's reliance on MD5 enables chosen-prefix collisions that allow forged accept messages to validate against an attacker-influenced request.
Attack Vector
An adversary intercepts a RADIUS Access-Request from the OMNI client toward the RADIUS server. The attacker injects or modifies attributes, computes a colliding MD5 value, and returns a forged Access-Accept message. OMNI accepts the forged response and grants authenticated access. Detailed exploitation mechanics are documented in the Dell Security Update DSA-2025-257.
Detection Methods for CVE-2025-36593
Indicators of Compromise
- Unexpected successful administrative logins to Dell OMNI without corresponding RADIUS server-side success events
- RADIUS Access-Accept packets received without a matching legitimate Access-Request on the RADIUS server
- Anomalous traffic on UDP port 1812 between OMNI and the RADIUS server, including duplicated or modified packets
- Authentication events from unexpected source addresses on the management network
Detection Strategies
- Correlate RADIUS server authentication logs with OMNI login events to identify mismatches between failed credential checks and successful client-side authentications
- Monitor for malformed or oversized RADIUS attributes such as Proxy-State or Message-Authenticator that may indicate Blast-RADIUS style exploitation
- Inspect RADIUS traffic for missing or invalid Message-Authenticator attributes on Access-Request and Access-Accept messages
Monitoring Recommendations
- Centralize RADIUS, OMNI, and switch authentication logs into a SIEM for cross-source correlation
- Alert on administrative configuration changes on switches managed by OMNI that follow recently observed RADIUS authentications
- Restrict and monitor packet captures on the management VLAN to identify on-path activity
How to Mitigate CVE-2025-36593
Immediate Actions Required
- Upgrade Dell OpenManage Network Integration to version 3.8 or later as directed in DSA-2025-257
- Enforce Message-Authenticator attribute on all RADIUS Access-Request and Access-Accept packets between OMNI and the RADIUS server
- Isolate the OMNI management interface and RADIUS traffic to a dedicated, access-controlled VLAN
- Rotate RADIUS shared secrets after patching to invalidate any captured authentication material
Patch Information
Dell has released a fixed build in OMNI version 3.8. Refer to the Dell Security Update DSA-2025-257 for download links and upgrade procedures.
Workarounds
- Where patching is delayed, transport RADIUS traffic over IPsec or RadSec (RADIUS over TLS) to prevent on-path message forgery
- Restrict RADIUS communication to dedicated point-to-point links between OMNI and the RADIUS server
- Temporarily disable RADIUS-based administrative authentication and use local accounts with strong credentials until the upgrade is applied
# Example: enforce Message-Authenticator on FreeRADIUS server side
# /etc/freeradius/3.0/clients.conf
client omni-management {
ipaddr = 10.10.20.0/24
secret = <rotated-strong-shared-secret>
require_message_authenticator = yes
limit_proxy_state = yes
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
