Skip to main content

Idrac Tools CVE-2025-27689

| EUVDEUVD-2025-18220 HIGH
Improper Access Control (CWE-284)
2025-06-12 security_alert@emc.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:39 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
11.3.0.0
EUVD ID Assigned
Mar 14, 2026 - 21:20 euvd
EUVD-2025-18220
Analysis Generated
Mar 14, 2026 - 21:20 vuln.today
CVE Published
Jun 12, 2025 - 21:15 nvd
HIGH 7.8

DescriptionCVE.org

Dell iDRAC Tools, version(s) prior to 11.3.0.0, contain(s) an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.

AnalysisAI

Dell iDRAC Tools versions prior to 11.3.0.0 contain an improper access control vulnerability (CWE-284) that allows low-privileged local attackers to escalate privileges without user interaction. The CVSS 7.8 score reflects high confidentiality, integrity, and availability impact. While no CVE-2025-27689 entry exists in public KEV catalogs or active exploitation databases at this time, the local attack vector with low complexity and low privilege requirements indicates this is a practical privilege escalation risk for organizations running vulnerable iDRAC Tool versions on multi-user systems.

Technical ContextAI

Dell iDRAC (Integrated Dell Remote Access Controller) Tools are out-of-band management utilities that provide administrative access to Dell servers. The vulnerability stems from improper access control mechanisms (CWE-284: Improper Access Control - Generic) in the iDRAC Tools software stack, likely in file permissions, capability checks, or authorization logic for privileged operations. CPE identification would target: cpe:2.3:a:dell:idrac_tools:*:*:*:*:*:*:*:* with versions <11.3.0.0. The root cause is insufficient validation of user privileges before executing high-privilege operations, allowing local privilege escalation (LPE) attacks where a standard user can trigger functionality reserved for administrators.

Share

CVE-2025-27689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy