CVE-2025-21107 – This CVE describes an unquoted search path vuln... (How to Fix)

Q: What is the severity of CVE-2025-21107?

CVE-2025-21107 has a CVSS score of 7.8 (HIGH). This CVE describes an unquoted search path vulnerability in Dell NetWorker that allows local attackers with low privileges to execute arbitrary code. Attackers could place malicious executables in paths that get executed due to improper path quoting. All Dell NetWorker installations prior to version 19.11.0.3 and all versions of 19.10 are affected.

📋 TL;DR

This CVE describes an unquoted search path vulnerability in Dell NetWorker that allows local attackers with low privileges to execute arbitrary code. Attackers could place malicious executables in paths that get executed due to improper path quoting. All Dell NetWorker installations prior to version 19.11.0.3 and all versions of 19.10 are affected.

💻 Affected Systems

Products:

Dell NetWorker
Dell NetWorker Virtual Edition
Dell NetWorker Management Console

Versions: All versions prior to 19.11.0.3, all versions of 19.10, and earlier versions

Operating Systems: Windows (primary), potentially Linux/Unix variants where NetWorker runs

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access to the system. The vulnerability exists in how NetWorker handles search paths when executing binaries.

📦 What is this software?

Networker by Dell

View all CVEs affecting Networker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM/root privileges, installing persistent backdoors, and pivoting to other systems in the network.

🟠

Likely Case

Local privilege escalation leading to data theft, credential harvesting, and lateral movement within the environment.

🟢

If Mitigated

Limited impact due to proper access controls, monitoring, and network segmentation preventing lateral movement.

🌐 Internet-Facing: LOW - This requires local access to the system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any compromised user account or malicious insider with local access could exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and low privileges. Attackers need to understand the specific unquoted paths and have write access to parent directories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.11.0.3 or later

Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000278811/dsa-2025-064-security-update-for-dell-networker-networker-virtual-edition-and-networker-management-console-multiple-component-vulnerabilities

Restart Required: No

Instructions:

1. Download the latest NetWorker update from Dell Support. 2. Apply the patch following Dell's installation guide. 3. Verify the version is 19.11.0.3 or later.

🔧 Temporary Workarounds

Restrict write permissions to vulnerable directories

all

Remove write permissions for low-privileged users from directories that could be used in the unquoted search path attack

icacls "C:\Program Files\NetWorker\" /deny Users:(OI)(CI)W
chmod -R o-w /usr/local/networker/

Implement application whitelisting

windows

Use Windows AppLocker or similar solutions to restrict execution to authorized binaries only

🧯 If You Can't Patch

Implement strict access controls to limit local user access to NetWorker systems
Monitor for suspicious process creation and file writes in NetWorker directories

🔍 How to Verify

Check if Vulnerable:

Check NetWorker version via command line: 'nsr_render_log' or check installed version in Control Panel/Add Remove Programs

Check Version:

nsr_render_log -v

Verify Fix Applied:

Verify version is 19.11.0.3 or later using the same version check methods

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution from NetWorker directories
Failed privilege escalation attempts in Windows Event Logs
File creation in system directories by non-admin users

Network Indicators:

Unusual outbound connections from NetWorker servers
Lateral movement attempts from NetWorker systems

SIEM Query:

source="windows_security" EventCode=4688 ProcessName="*NetWorker*" OR source="sysmon" EventID=1 Image="*NetWorker*"

📊 Metadata

CVE ID: CVE-2025-21107

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

EPSS Score: 0.03% exploit probability (7.9th percentile)

Published: January 30, 2025

Last Updated: February 7, 2025

🔗 References

https://www.dell.com/support/kbdoc/en-us/000278811/dsa-2025-064-security-update-for-dell-networker-networker-virtual-edition-and-networker-management-console-multiple-component-vulnerabilities Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21107, you might also want to check these: