Severity
High
Analysis Summary
CVE-2025-24919 CVSS:8.1
A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise the ControlVault firmware and have it craft a malicious response to trigger this vulnerability.
CVE-2025-25215 CVSS:8.8
An arbitrary free vulnerability exists in the cv_close functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an arbitrary free. An attacker can forge a fake session to trigger this vulnerability.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2025-24919
CVE-2025-25215
Affected Vendors
- Dell
Affected Products
- Dell ControlVault3 prior to 5.15.10.14
- Dell ControlVault3 Plus prior to 6.2.26.36
Remediation
Refer to the Dell Website for patch, upgrade, or suggested workaround information.