CVE-2025-23374
Published: 30 January 2025
Description
Dell Networking Switches running Enterprise SONiC OS, version(s) prior to 4.4.1 and 4.2.3, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
Security Summary
CVE-2025-23374 is an Insertion of Sensitive Information into Log File vulnerability (CWE-532) affecting Dell Networking Switches running Enterprise SONiC OS in versions prior to 4.4.1 and 4.2.3. This flaw allows sensitive information to be logged, potentially exposing it to unauthorized viewers. The vulnerability received a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to network accessibility, changed scope, and high impacts across confidentiality, integrity, and availability.
A high-privileged attacker with remote access could exploit this vulnerability to achieve information exposure. The required privileges and high attack complexity limit feasibility to insiders or compromised high-level accounts, but successful exploitation could reveal sensitive data from log files, potentially enabling further compromise given the CVSS impacts on integrity and availability.
Dell's security advisory DSA-2025-057 provides a security update for the Dell Enterprise SONiC distribution vulnerability, available at https://www.dell.com/support/kbdoc/en-us/000278568/dsa-2025-057-security-update-for-dell-enterprise-sonic-distribution-vulnerability. Practitioners should apply the relevant patches to versions prior to 4.4.1 and 4.2.3 to mitigate the issue.
Details
- CWE(s)