What is the CVSS score of CVE-2025-25050?

CVE-2025-25050 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Dell are affected by CVE-2025-25050?

CVE-2025-25050 is a critical memory corruption vulnerability in Dell ControlVault3 and ControlVault 3 Plus that allows authenticated local users to completely compromise system confidentiality,…. A patch is available.

How to fix or mitigate CVE-2025-25050?

Within 24 hours: identify all systems running ControlVault3 (versions prior to 5.15.10.14) and ControlVault 3 Plus (versions prior to 6.2.26.36) and document exposure scope. Within 7 days: apply vendor-released patches-upgrade ControlVault3 to version 5.15.10.14 or later and ControlVault 3 Plus to version 6.2.26.36 or later. Within 30 days: validate patch deployment across all affected systems and review local access controls to limit ControlVault user account privileges.

Dell CVE-2025-25050

EUVD-2025-18302 HIGH

Out-of-bounds Write (CWE-787)

2025-06-13 talos-cna@cisco.com

Buffer Overflow Dell

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:38 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

6.2.26.36,5.15.10.14

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18302

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

CVE Published

Jun 13, 2025 - 21:15 nvd

HIGH 8.8

DescriptionNVD

An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault 3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an out-of-bounds write. An attacker can issue an API call to trigger this vulnerability.

AnalysisAI

CVE-2025-25050 is an out-of-bounds write vulnerability in Dell ControlVault3 and ControlVault 3 Plus that allows a local, authenticated attacker to trigger memory corruption through a specially crafted API call to the cv_upgrade_sensor_firmware function. An attacker with local access and low privileges can achieve high-impact compromise including complete confidentiality, integrity, and availability violations. The vulnerability affects all versions prior to ControlVault3 5.15.10.14 and ControlVault 3 Plus 6.2.26.36; exploitation requires local access and valid user credentials but no user interaction.

Technical ContextAI

The vulnerability exists in the cv_upgrade_sensor_firmware API handler within Dell's ControlVault firmware management subsystem. CWE-787 (Out-of-bounds Write) indicates that the vulnerable code fails to properly validate input parameters or enforce buffer boundaries when processing API requests related to sensor firmware upgrades. This results in a write operation that accesses memory locations outside the intended buffer, potentially corrupting adjacent memory structures, heap metadata, or enabling code execution. The ControlVault products are hardware security modules/trusted platform management solutions, and the affected function is likely responsible for processing firmware upgrade payloads without adequate input validation or size checks. The API-based attack vector suggests the vulnerability can be triggered programmatically without requiring direct binary exploitation or kernel-level access.

RemediationAI

Upgrade to version 5.15.10.14 or later; priority: Immediate Upgrade to version 6.2.26.36 or later; priority: Immediate Mitigation: Restrict local access to systems running ControlVault through strong access controls, privileged access management, and monitoring of API calls to cv_upgrade_sensor_firmware function; priority: High Detection: Monitor system logs for failed/successful firmware upgrade attempts via ControlVault API; implement behavioral analytics to detect abnormal API call patterns with malformed payloads; priority: High Workaround: Disable sensor firmware upgrade functionality if not actively required, subject to operational constraints; priority: Medium

More from same product – last 7 days

CVE-2025-26483 MEDIUM This Month

6.1 May 22

Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft

CVE-2025-32751 MEDIUM This Month

5.5 May 22

Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-p

CVE-2025-32747 MEDIUM This Month

5.3 May 22

Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors

CVE-2025-32749 MEDIUM This Month

5.3 May 22

Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate director

CVE-2025-32745 MEDIUM This Month

4.2 May 22

Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker o

CVE-2025-25050 vulnerability details – vuln.today

Back

Dell CVE-2025-25050

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code