CVE-2025-36601 in PowerScale OneFS
Summary
by MITRE • 09/25/2025
Dell PowerScale OneFS, versions 9.5.0.0 through 9.11.0.0, contains an exposure of sensitive information to an unauthorized actor vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to Information disclosure.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/31/2025
The vulnerability identified as CVE-2025-36601 affects Dell PowerScale OneFS storage systems within a specific version range from 9.5.0.0 through 9.11.0.0. This issue represents a critical exposure of sensitive information to unauthorized actors, fundamentally compromising the security posture of affected systems. The vulnerability exists in the remote management interfaces of these storage appliances, creating potential attack vectors that can be exploited without authentication. Such a flaw directly violates fundamental security principles by allowing information disclosure to any remote attacker who can reach the affected system, regardless of their authorization status or credentials.
The technical implementation of this vulnerability stems from improper access controls and insufficient validation mechanisms within the OneFS firmware's management interfaces. Attackers can potentially access sensitive operational data, configuration details, and system metadata through unauthenticated remote connections. This exposure may include system logs, user credentials, network configurations, storage pool information, and other privileged data that should remain protected within enterprise storage environments. The vulnerability's impact is amplified by the fact that it operates at the network level, allowing exploitation from external networks without requiring prior access or authentication credentials.
The operational impact of this vulnerability extends beyond simple information disclosure, potentially enabling more sophisticated attacks that leverage the leaked information for further exploitation. An attacker who successfully exploits this vulnerability could gain insights into system architecture, identify potential attack vectors, and potentially escalate privileges or conduct targeted attacks against other system components. This information leakage creates cascading security risks that can compromise entire storage infrastructures, particularly in environments where PowerScale appliances serve as critical data repositories for enterprise applications and sensitive information.
Organizations should immediately implement mitigations including network segmentation to restrict access to affected systems, deployment of firewalls and access control lists to block unauthorized connections, and comprehensive monitoring of network traffic for suspicious activities. The implementation of intrusion detection systems and regular security audits becomes critical for identifying exploitation attempts. Additionally, administrators should consider disabling unnecessary remote management services and applying vendor-provided patches or firmware updates as soon as they become available. This vulnerability aligns with CWE-200, which addresses "Information Exposure," and represents a clear violation of the principle of least privilege as outlined in the ATT&CK framework under the information gathering phase. The risk assessment should include comprehensive vulnerability scanning, penetration testing, and security configuration reviews to ensure complete remediation of this exposure.