CVE-2025-24919 — Deserialization of Untrusted Data in Dell Controlvault3

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

8.1HIGHNVD

EPSS

0.7%

top 27.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dell Controlvault3 Dell Controlvault3 Plus Broadcom Bcm5820x

Timeline

PublishedJun 13

Latest updateJun 14

Description

A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 1.4 | Impact: 6.0

Affected Packages3 packages

▶CVEListV5dell/controlvault3_plus< 6.2.26.36

▶CVEListV5dell/controlvault3< 5.15.10.14

▶CVEListV5broadcom/bcm5820xNA

🔴Vulnerability Details

GHSA

GHSA-fvxq-m6wq-rqqv: A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5↗2025-06-14

▶

CVEList

Dell ControlVault3/ControlVault3 Plus deserialization of untrusted input vulnerability↗2025-06-13

▶