CVE-2025-36582

Vulnerability

Dell NetWorker versions prior to 19.13.0.0 contain a Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') vulnerability, as described in CVE-2025-36582 [1]. The affected components include the NetWorker Management Console, NetWorker Web UI, and NetWorker Authentication Service [1]. The vulnerability is present in the product line spanning versions up to and including 19.12.0.1 [1].

Exploitation

An unauthenticated attacker with remote network access can exploit this vulnerability by placing themselves in a position to perform a man-in-the-middle attack, forcing the protocol negotiation to fall back to a weaker cryptographic algorithm [1]. The attack complexity is high, as the attacker must be able to intercept and manipulate traffic during the handshake phase, and no user interaction is required [1].

Impact

Successful exploitation leads to information disclosure of low confidentiality and low integrity impact [1]. An attacker who downgrades the negotiated algorithm may be able to decrypt or tamper with sensitive data transmitted over the affected NetWorker services, though the scope remains unchanged (confined to the component) [1].

Mitigation

Dell Technologies released remediated version 19.13.0.0 to address this vulnerability [1]. All customers should upgrade to NetWorker 19.13.0.0 or later. No workarounds have been published; upgrading is the recommended action [1].