CVE-2025-25215

Published Jun 13, 2025

Last updated 9 days ago

CVSS high 8.8
Firmware

Overview

Description
An arbitrary free vulnerability exists in the cv_close functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an arbitrary free. An attacker can forge a fake session to trigger this vulnerability.
Source
talos-cna@cisco.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
6
Exploitability score
2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

talos-cna@cisco.com
CWE-763

Social media

Hype score
Not currently trending

  1. ⚠️Múltiples vulnerabilidades en Dell ControlVault3 ❗CVE-2025-25215 ❗CVE-2025-24922 ❗CVE-2025-25050 ➡️Más info: https://t.co/DZklMVtNSU https://t.co/X8FAEIlkfj

    @CERTpy

    13 Aug 2025

    79 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. https://t.co/BWwoqzWPtd CVE-2025-24311, CVE-2025-25215, CVE-2025-24922, CVE-2025-25050, CVE-2025-24919 Tengo un montón de usuarios de portátiles DELL con Linux

    @trblnyx

    7 Aug 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  3. 🔨Googleが8月の月例パッチをリリース、悪用が確認されたQualcommの脆弱性2件などを修正(CVE-2025-21479、CVE-2025-27038他) 💻Broadcomチップ搭載のDell製PC100機種以上に複数の重大な欠陥、早急なパッチ適用を呼びか

    @MachinaRecord

    6 Aug 2025

    158 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Dell社ラップトップ100機種以上のセキュリティチップ、Dell ControlVaultに深刻な脆弱性。CVE-2025-24311、CVE-2025-25050、CVE-2025-25215、CVE-2025-24922、CVE-2025-24919の5件。パスワードや生体データの保存に使用されている部品

    @__kokumoto

    6 Aug 2025

    1477 Impressions

    8 Retweets

    18 Likes

    6 Bookmarks

    1 Reply

    0 Quotes

  5. 🛡️ Critical flaws found in Dell ControlVault3 firmware: CVE-2025-25215, 25050, 24919 💣 Risks include code execution, privilege escalation & memory corruption. 📌 Patch now. Read more: https://t.co/SmqSY6bhGB #infosec #vulnalert #dellsecurity https://t.co/qeMwmmrJ5L

    @threatsbank

    14 Jun 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-25215 An arbitrary free vulnerability exists in the cv_close functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A spec… https://t.co/3AfXEuD0NE

    @CVEnew

    13 Jun 2025

    794 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Related CVEs

  1. The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.CVE-2025-14858
  2. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  3. A flaw has been found in Tenda AC5 15.03.06.47. This vulnerability affects the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. This manipulation of the argument PPPOEPassword causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used.CVE-2026-4903
  4. A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.CVE-2026-2417
  5. A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and integrity of device configuration data.CVE-2025-15605

References

Sources include official advisories and independent security research.