Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-24919

Summary
Assigner-talos
Assigner Org ID-b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b
Published At-13 Jun, 2025 | 21:48
Updated At-17 Jun, 2025 | 15:18
Rejected At-
Credits

Dell ControlVault3/ControlVault3 Plus deserialization of untrusted input vulnerability

A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:talos
Assigner Org ID:b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b
Published At:13 Jun, 2025 | 21:48
Updated At:17 Jun, 2025 | 15:18
Rejected At:
▼CVE Numbering Authority (CNA)
Dell ControlVault3/ControlVault3 Plus deserialization of untrusted input vulnerability

A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability.

Affected Products
Vendor
Broadcom Inc.Broadcom
Product
BCM5820X
Default Status
unaffected
Versions
Affected
  • NA
Vendor
Dell Inc.Dell
Product
ControlVault3
Default Status
unaffected
Versions
Affected
  • From 0 before 5.15.10.14 (semver)
Vendor
Dell Inc.Dell
Product
ControlVault3 Plus
Default Status
unaffected
Versions
Affected
  • From 0 before 6.2.26.36 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.18.1HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Discovered by Philippe Laulheret of Cisco Talos.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.dell.com/support/kbdoc/en-us/000276106/dsa-2025-053
N/A
Hyperlink: https://www.dell.com/support/kbdoc/en-us/000276106/dsa-2025-053
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:talos-cna@cisco.com
Published At:13 Jun, 2025 | 22:15
Updated At:16 Jun, 2025 | 12:32

A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.1HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-502Primarytalos-cna@cisco.com
CWE ID: CWE-502
Type: Primary
Source: talos-cna@cisco.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.dell.com/support/kbdoc/en-us/000276106/dsa-2025-053talos-cna@cisco.com
N/A
Hyperlink: https://www.dell.com/support/kbdoc/en-us/000276106/dsa-2025-053
Source: talos-cna@cisco.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

8Records found
CVE-2021-36336
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-3.06% / 86.16%
||
7 Day CHG~0.00%
Published-21 Dec, 2021 | 17:05
Updated-16 Sep, 2024 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability that could allow an unauthenticated attacker to execute code on the affected system.

Action-Not Available
Vendor-Dell Inc.
Product-wyse_management_suiteWyse Management Suite
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-28964
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-7.8||HIGH
EPSS-0.11% / 30.65%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 15:02
Updated-16 Aug, 2024 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Common Event Enabler, version 8.9.10.0 and prior, contain an insecure deserialization vulnerability in CAVATools. A local unauthenticated attacker could potentially exploit this vulnerability, leading to arbitrary code execution in the context of the logged in user. Exploitation of this issue requires a victim to open a malicious file.

Action-Not Available
Vendor-Dell Inc.
Product-common_event_enablerCommon Event Enablercommon_event_enabler
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-18580
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-11.84% / 93.46%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 16:36
Updated-16 Sep, 2024 | 22:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Java RMI Deserialization of Untrusted Data vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host.

Action-Not Available
Vendor-Dell Inc.
Product-emc_storage_monitoring_and_reportingEMC Storage M&R
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-5341
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-12.71% / 93.73%
||
7 Day CHG~0.00%
Published-28 Jul, 2021 | 00:05
Updated-16 Sep, 2024 | 22:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deserialization of Untrusted Data Vulnerability Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 and 19.2 and Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3, 2.4 and 2.4.1 contain a Deserialization of Untrusted Data Vulnerability. A remote unauthenticated attacker could exploit this vulnerability to send a serialized payload that would execute code on the system.

Action-Not Available
Vendor-Dell Inc.
Product-emc_avamar_serveremc_integrated_data_protection_appliance_firmwareAvamar Virtual Edition
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-28072
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-7.8||HIGH
EPSS-0.05% / 16.10%
||
7 Day CHG~0.00%
Published-04 Sep, 2023 | 15:38
Updated-30 Sep, 2024 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Alienware Command Center, versions prior to 5.5.51.0, contain a deserialization of untrusted data vulnerability. A local malicious user could potentially send specially crafted requests to the .NET Remoting server to run arbitrary code on the system.

Action-Not Available
Vendor-Dell Inc.
Product-alienware_command_centerAlienware Command Center (AWCC)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-5327
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-8.1||HIGH
EPSS-5.04% / 89.35%
||
7 Day CHG~0.00%
Published-06 Mar, 2020 | 20:25
Updated-16 Sep, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Security Management Server versions prior to 10.2.10 contain a Java RMI Deserialization of Untrusted Data vulnerability. When the server is exposed to the internet and Windows Firewall is disabled, a remote unauthenticated attacker may exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host.

Action-Not Available
Vendor-Dell Inc.
Product-security_management_serverDell Encryption Enterprise
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-22460
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-2.2||LOW
EPSS-1.20% / 78.09%
||
7 Day CHG~0.00%
Published-08 May, 2024 | 15:52
Updated-04 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell PowerProtect DM5500 version 5.15.0.0 and prior contains an insecure deserialization Vulnerability. A remote attacker with high privileges could potentially exploit this vulnerability, leading to arbitrary code execution on the vulnerable application.

Action-Not Available
Vendor-Dell Inc.
Product-dm5500dm5500_firmwareData Manager Appliance Software (DMAS)powerprotect_data_manager_dm5500_firmware
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-21524
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-4.60% / 88.82%
||
7 Day CHG~0.00%
Published-12 Apr, 2021 | 19:50
Updated-16 Sep, 2024 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Critical as this may lead to system compromise by unauthenticated attackers.

Action-Not Available
Vendor-Dell Inc.
Product-storage_monitoring_and_reportingstorage_resource_managerDell EMC Storage Monitoring and Reporting
CWE ID-CWE-502
Deserialization of Untrusted Data
Details not found