CVE-2025-36598

Vulnerability

Details Dell Avamar (and Avamar Virtual Edition) versions 19.8 through 19.12, prior to the inclusion of patch 338905, contain an improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. The flaw resides in the security component of the software, enabling an authenticated attacker with high privileges to bypass intended directory restrictions [1].

Exploitation

To exploit CVE-2025-36598, an attacker must have high-privileged access and be able to communicate with the Avamar server over the network. The vulnerability allows the attacker to manipulate file paths, effectively writing files to arbitrary locations on the server's filesystem. No user interaction is required beyond the initial authentication [1].

Impact

Successful exploitation permits the attacker to upload malicious files to the server. While the official advisory does not explicitly detail the outcome, arbitrary file write capabilities typically lead to code execution, privilege escalation, or persistent access when combined with other weaknesses. The associated CVSS base score is 6.5 (Medium) [1].

Mitigation

Dell has addressed this vulnerability in Avamar 19.12 with Cumulative Hotfix (CHF) 338905. The same fix is also available for Dell PowerProtect DP Series Appliance (IDPA) version 2.7.9 with AV CHF 338905. Users of affected versions should apply the appropriate update immediately from the Avamar Downloads Area [1].