Dell ControlVault3 Driver Vulnerability (DSA-2025-053)

high Nessus Plugin ID 245964

Synopsis

The Dell ControlVault3 cvusbdrv.sys driver is affected by multiple vulnerabilities.

Description

The version of the Dell ControlVault3 cvusbdrv.sys driver installed on the remote host is 5.x prior to 5.15.10.14, or 6.x prior to 6.2.26.36. It is, therefore, affected by multiple vulnerabilities as referenced in the vendor advisory:

- An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault 3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an out-of-bounds write. An attacker can issue an API call to trigger this vulnerability. (CVE-2025-25050)
- A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability. (CVE-2025-24919)
- A stack-based buffer overflow vulnerability exists in the securebio_identify functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted malicious cv_object can lead to a arbitrary code execution. An attacker can issue an API call to trigger this vulnerability. (CVE-2025-24922) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the Dell ControlVault3 driver and firmware to version 5.15.10.14 / 6.2.26.36 or higher.

See Also

https://www.dell.com/support/kbdoc/en-us/000276106/dsa-2025-053?lwp=rt

Plugin Details

Severity: High

ID: 245964

File Name: dell_controlvault3_driver_DSA-2025-053.nasl

Version: 1.1

Type: local

Agent: windows

Family: Misc.

Published: 8/8/2025

Updated: 8/8/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-25050

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: x-cpe:/a:dell:controlvault3_driver

Required KB Items: BIOS/Model, BIOS/Manufacturer, WMI/SystemDrivers/Enumerated

Exploit Ease: No known exploits are available

Patch Publication Date: 8/8/2025

Vulnerability Publication Date: 8/8/2025

Reference Information

CVE: CVE-2025-24311, CVE-2025-24919, CVE-2025-24922, CVE-2025-25050, CVE-2025-25215