CVE-2025-24919 HIGH

CVE-2025-24919: Dell ControlVault3/ControlVault3 Plus deserialization of untrusted input vulnerability

Vendor Broadcom

Product BCM5820X

Weakness CWE-502 · Unsafe deserialization

Published June 13, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Local

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability.

Key dates

02Disclosure timeline

June 13, 2025 CVE published

February 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-24919

Related vulnerabilities

Identifiers

CVE CVE-2025-24919

CWE CWE-502

CVSS 8.1 / HIGH

Affected versions

Vendor Broadcom

Product BCM5820X

Affected NA

Vendor Dell

Product ControlVault3

Affected < 5.15.10.14

Vendor Dell

Product ControlVault3 Plus

Affected < 6.2.26.36

CVE-2025-24919: Dell ControlVault3/ControlVault3 Plus deserialization of untrusted input vulnerability

01Description

02Disclosure timeline

03References

04Related CVE