PT-2025-25449 · Dell · Dell Controlvault3 Plus+1
Philippe Laulheret
·
Published
2025-06-13
·
Updated
2025-09-15
·
CVE-2025-24919
CVSS v3.1
8.1
High
| Vector | AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Dell ControlVault3 versions prior to 5.15.10.14
Dell ControlVault3 Plus versions prior to 6.2.26.36
Description
A deserialization of untrusted input vulnerability exists in the
cvhDecapsulateCmd functionality. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise the ControlVault firmware and configure it to generate a malicious response, triggering this vulnerability. The vulnerability affects over 100 popular Dell laptop models used in cybersecurity and government sectors.Recommendations
Dell ControlVault3 versions prior to 5.15.10.14: Update to version 5.15.10.14 or later.
Dell ControlVault3 Plus versions prior to 6.2.26.36: Update to version 6.2.26.36 or later.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dell Controlvault3
Dell Controlvault3 Plus