CVE-2025-22480
📋 TL;DR
Dell SupportAssist OS Recovery versions before 5.5.13.1 contain a symbolic link attack vulnerability that allows local low-privileged attackers to delete arbitrary files and potentially gain elevated privileges. This affects Dell systems running vulnerable versions of the SupportAssist OS Recovery software. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Dell SupportAssist OS Recovery
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file deletion leading to privilege escalation, potential data destruction, and persistent backdoor installation.
Likely Case
Local attacker gains administrative privileges on the affected system, enabling further lateral movement and data access.
If Mitigated
Limited impact due to proper access controls, but still potential for local privilege escalation if exploited.
🎯 Exploit Status
Requires local access and low-privileged account. Symbolic link attacks typically involve race conditions and file manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.13.1
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000275712/dsa-2025-051
Restart Required: No
Instructions:
1. Open Dell SupportAssist OS Recovery. 2. Check for updates in the application. 3. Download and install version 5.5.13.1 or later. 4. Alternatively, download from Dell's support website using the advisory URL.
🔧 Temporary Workarounds
Disable SupportAssist OS Recovery
WindowsTemporarily disable the vulnerable software until patching can be completed.
Uninstall via Control Panel > Programs and Features > Dell SupportAssist OS Recovery
🧯 If You Can't Patch
- Restrict local access to systems with vulnerable software
- Implement strict privilege separation and monitor for suspicious file deletion activities
🔍 How to Verify
Check if Vulnerable:
Check SupportAssist OS Recovery version in the application or via Control Panel > Programs and Features.Check Version:
Check in Windows: Control Panel > Programs and Features, or run 'wmic product get name,version' and look for Dell SupportAssist OS RecoveryVerify Fix Applied:
Verify version is 5.5.13.1 or later in the application or installed programs list.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in Windows Security logs
- Multiple failed privilege escalation attempts
- Suspicious process creation from SupportAssist
Network Indicators:
- Not applicable - local attack only
SIEM Query:
Windows Security Event ID 4663 with process name containing 'SupportAssist' and target file paths indicating system files