CVE-2025-36601 is a medium-severity vulnerability identified in Dell PowerScale OneFS versions 9.5.0.0 through 9.11.0.0. The vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. Specifically, this flaw allows an unauthenticated remote attacker to potentially access sensitive information without requiring any privileges or user interaction. The vulnerability arises from improper access controls or information disclosure mechanisms within the OneFS software, which is Dell's scale-out NAS operating system used for managing large-scale storage clusters. The CVSS v3.1 base score is 4.0, reflecting a network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) with a low impact on confidentiality (C:L), and no impact on integrity (I:N) or availability (A:N). The scope change indicates that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting other parts of the system or network. No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting that organizations should monitor Dell advisories closely for updates. The vulnerability's exploitation could lead to unauthorized disclosure of sensitive data, which might include configuration details, system information, or other data that could facilitate further attacks or compromise privacy and compliance requirements.

For European organizations, the exposure of sensitive information through this vulnerability could have significant consequences. Dell PowerScale OneFS is widely used in enterprise environments for high-performance storage solutions, including sectors such as finance, healthcare, telecommunications, and government agencies. Unauthorized disclosure of sensitive information could lead to breaches of personal data protected under GDPR, resulting in regulatory fines and reputational damage. Furthermore, leaked configuration or system information could aid attackers in crafting more targeted attacks, potentially escalating to privilege escalation or data exfiltration. The medium severity and lack of integrity or availability impact mean that while direct disruption or data manipulation is unlikely, the confidentiality breach alone poses risks to compliance and operational security. European organizations relying on Dell PowerScale for critical data storage should consider the potential for indirect impacts, such as loss of customer trust and increased scrutiny from regulators. Additionally, the vulnerability's unauthenticated remote exploitation vector increases the risk profile, as attackers do not need valid credentials or user interaction to attempt exploitation.

Given the absence of an official patch at the time of this report, European organizations should implement compensating controls to mitigate risk. First, restrict network access to Dell PowerScale OneFS management interfaces to trusted internal networks and VPNs only, employing strict firewall rules and network segmentation to limit exposure. Enable and enforce strong authentication and authorization policies for all administrative access to reduce the attack surface. Monitor network traffic and system logs for unusual access patterns or attempts to query sensitive information remotely. Employ intrusion detection and prevention systems (IDS/IPS) tuned to detect anomalous activity targeting OneFS components. Organizations should also engage with Dell support to obtain any available interim fixes or recommended configuration changes that reduce information exposure. Once Dell releases a patch, prioritize its deployment following thorough testing to avoid operational disruptions. Additionally, conduct regular security assessments and penetration tests focusing on storage infrastructure to identify and remediate similar vulnerabilities proactively.