{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-36568", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2025-04-15T21:29:33.584Z", "datePublished": "2026-04-17T08:12:17.696Z", "dateUpdated": "2026-04-17T08:12:17.696Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-17T08:12:17.696Z"}, "datePublic": "2026-04-15T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "affected": [{"vendor": "Dell", "product": "PowerProtect Data Domain BoostFS", "versions": [{"status": "affected", "version": "0", "lessThan": "8.6.0.0 or later", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "8.3.1.30 or later", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "7.13.1.60 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected credentials vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to credential exposure. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected credentials vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to credential exposure. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account."}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected credentials vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to credential exposure. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account."}], "id": "CVE-2025-36568", "lastModified": "2026-04-17T09:16:05.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 6.0, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-04-17T09:16:05.000", "references": [{"source": "security_alert@emc.com", "url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T11:24:45.677593+00:00", "value": {"mitigation_remediation": ["Apply the Dell DSA\u20112026\u2011060 security update for PowerProtect Data Domain BoostFS to all affected releases", "Restart the PowerProtect Data Domain services to ensure the update takes effect", "Configure the system to enforce strong credential storage and management policies, such as password hashing and limited local access, as a temporary countermeasures until the vendor update is applied"], "summary": {"action": "Patch", "impact": "Credential Exposure via insufficiently protected credentials"}, "threat_synthesis": {"affected_systems": "Affected are Dell PowerProtect Data Domain BoostFS clients on Feature Release versions 7.7.1.0 through 8.5, LTS2025 release versions 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.50. Only these specific releases contain the insufficiently protected credentials flaw.", "description_and_impact": "The vulnerability arises from credentials that are not adequately protected within Dell PowerProtect Data Domain BoostFS. A local attacker with low privileges can acquire these exposed credentials, subsequently using them to access the system with the full rights of the compromised account. The impact is therefore the potential loss of confidentiality, integrity, and availability of data and services governed by those credentials.", "risk_and_exploitability": "With a CVSS score of 7.8, the vulnerability is considered high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed field\u2011of\u2011view exploitation yet. The attack vector is local: a low privileged attacker who gains physical or local network access can exploit the weakness. The lack of a patch or mitigation at the time of reporting increases the risk that an attacker could leverage the exposed credentials to elevate privileges and compromise the system."}}}}, "created": "2026-04-17T11:30:16.984192+00:00", "title": "Insufficiently Protected Credentials in Dell PowerProtect Data Domain BoostFS", "updated": "2026-04-17T11:30:16.984205+00:00", "vendors": []}