CVE-2025-22395

High

Published: 07 January 2025

Published

07 January 2025

Modified

04 February 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0009 26.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Dell Update Package Framework, versions prior to 22.01.02, contain(s) a Local Privilege Escalation Vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary remote scripts on the server. Exploitation may lead to a denial of service by an attacker.

Security Summary

CVE-2025-22395 is a local privilege escalation vulnerability affecting the Dell Update Package (DUP) Framework in versions prior to 22.01.02. The flaw, associated with CWE-280 (improper handling of insufficient privileges), allows escalation from low-privileged access and was published on January 7, 2025, with a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by tricking a user into interacting with a malicious input, potentially leading to the execution of arbitrary remote scripts on the server. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, including denial of service.

Dell's security advisory (DSA-2025-034) at https://www.dell.com/support/kbdoc/en-us/000269079/dsa-2025-034-security-update-for-dell-update-package-dup-framework-vulnerability recommends updating the DUP Framework to version 22.01.02 or later to mitigate the issue.

Details

CWE(s): CWE-280NVD-CWE-noinfo

Affected Products

dell

update package framework

≤ 22.01.02

References

https://www.dell.com/support/kbdoc/en-us/000269079/dsa-2025-034-security-update-for-dell-update-package-dup-framework-vulnerability
Vendor Advisory · security_alert@emc.com