Deserialization Vulnerability in Dell ControlVault Products
CVE-2025-24919

8.1HIGH

Key Information:

Vendor: Broadcom
Status: Bcm5820x; Controlvault3; Controlvault3 Plus
Vendor: CVE Published:; 13 June 2025

What is CVE-2025-24919?

A vulnerability exists in the deserialization of untrusted input within the cvhDecapsulateCmd functionality of Dell ControlVault3 and ControlVault3Plus products. This flaw is due to improper handling of specially crafted responses, which can allow an attacker to exploit the firmware of a ControlVault device. By sending a maliciously constructed command response, an attacker could trigger arbitrary code execution, leading to potential unauthorized access and manipulation of the device's functionalities.

Affected Version(s)

BCM5820X NA

ControlVault3 0 < 5.15.10.14

ControlVault3 Plus 0 < 6.2.26.36

References

https://www.dell.com/support/kbdoc/en-us/000276106/dsa-20...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2025
Vulnerability Reserved
Feb 20, 2025

Credit

Discovered by Philippe Laulheret of Cisco Talos.

Broadcom

What is CVE-2025-24919?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit