CVE-2025-36597

Vulnerability

Overview CVE-2025-36597 is an improper limitation of a pathname to a restricted directory (path traversal) vulnerability in the Security component of Dell Avamar. The root cause is insufficient validation of user-supplied file paths, enabling an attacker to bypass directory restrictions and access files outside the intended scope [1]. Affected versions include Avamar Server and Avamar Virtual Edition from 19.8 through 19.12, as well as Dell PowerProtect DP Series Appliance (IDPA) prior to version 2.7.9 [1].

Exploitation

Conditions Exploitation requires an attacker with high privileges and remote network access to the Avamar system. High privileges (e.g., administrative credentials) are necessary to reach the vulnerable functionality, but once authenticated, the attacker can craft malicious path traversal sequences (such as "../") to navigate the filesystem [1]. The attack does not require local access or additional complexity beyond leveraging the authenticated session.

Impact

Successful exploitation leads to information disclosure, allowing the attacker to read sensitive files stored on the Avamar server. This could include configuration files, cryptographic keys, backup metadata, or other confidential data that may be leveraged for further attacks or compromise of backup integrity [1]. The CVSS base score of 4.7 (Medium) reflects the prerequisite of high privileges but the potential for significant data exposure.

Mitigation

Dell has addressed this vulnerability in Avamar version 19.12 with cumulative hotfix (CHF) 338905 and in IDPA version 2.7.9 with the same hotfix. Users are strongly advised to apply the patch promptly via the Dell support portal [1]. No workarounds are documented; the only remediated versions are those listed in the advisory.