CVE-2025-22480

High

Published: 13 February 2025

Published

13 February 2025

Modified

24 September 2025

KEV Added

—

Patch

—

CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Dell SupportAssist OS Recovery versions prior to 5.5.13.1 contain a symbolic link attack vulnerability. A low-privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary file deletion and Elevation of Privileges.

Security Summary

CVE-2025-22480 is a symbolic link attack vulnerability affecting Dell SupportAssist OS Recovery versions prior to 5.5.13.1. The issue, published on 2025-02-13, is linked to CWE-61 (Symbolic Race Condition) and CWE-59 (Improper Link Resolution Before File Access), enabling exploitation through manipulated symbolic links during file operations.

A low-privileged local attacker (PR:L) can exploit this vulnerability with high attack complexity (AC:H) and no user interaction required (UI:N). Successful exploitation allows arbitrary file deletion and elevation of privileges, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 7.0 (High), with local access vector (AV:L) and no scope change (S:U).

Dell advisory DSA-2025-051, available at https://www.dell.com/support/kbdoc/en-us/000275712/dsa-2025-051, addresses this vulnerability. Mitigation requires updating Dell SupportAssist OS Recovery to version 5.5.13.1 or later.

Details

CWE(s): CWE-61CWE-59

Affected Products

dell

supportassist os recovery

≤ 5.5.13.1

References

https://www.dell.com/support/kbdoc/en-us/000275712/dsa-2025-051
Vendor Advisory · security_alert@emc.com