CVE-2025-36564
📋 TL;DR
Dell Encryption Admin Utilities versions before 11.10.2 contain an improper link resolution vulnerability (CWE-61) that allows local malicious users to escalate privileges. This affects systems running vulnerable versions of Dell Encryption Admin Utilities. Attackers must have local access to exploit this vulnerability.
💻 Affected Systems
- Dell Encryption Admin Utilities
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full administrative/root privileges on the system, enabling complete system compromise, data theft, and persistence establishment.
Likely Case
Local user with standard privileges escalates to administrative privileges, allowing installation of malware, configuration changes, and access to protected data.
If Mitigated
With proper access controls and monitoring, exploitation attempts are detected and blocked before privilege escalation occurs.
🎯 Exploit Status
Exploitation requires local access but is likely straightforward once access is obtained. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.10.2 or later
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000325203/dsa-2025-224
Restart Required: Yes
Instructions:
1. Download Dell Encryption Admin Utilities version 11.10.2 or later from Dell Support. 2. Backup system and data. 3. Run the installer with administrative privileges. 4. Restart the system as prompted. 5. Verify successful installation.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local access to systems running Dell Encryption Admin Utilities to trusted users only.
Remove Unnecessary Privileges
windowsReview and reduce local user privileges on affected systems to minimum required levels.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can log in locally to affected systems
- Deploy application control solutions to prevent unauthorized execution of privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Dell Encryption Admin Utilities version via Control Panel > Programs and Features or using PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Dell Encryption Admin*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Dell Encryption Admin*'} | Select-Object Name, VersionVerify Fix Applied:
Verify installed version is 11.10.2 or later using same method as checking vulnerability.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts
- Suspicious process creation by non-admin users
- Access to protected system directories by standard users
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%dellencryption%' OR CommandLine LIKE '%dellencryption%') AND SubjectUserName NOT IN (admin_users_list)