CVE-2025-38747
📋 TL;DR
Dell SupportAssist OS Recovery versions before 5.5.14.0 create temporary files with insecure permissions, allowing local authenticated attackers to modify these files and potentially gain elevated privileges. This affects Dell systems running vulnerable versions of the software, requiring an attacker to have local access and valid credentials.
💻 Affected Systems
- Dell SupportAssist OS Recovery
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could achieve full system compromise by replacing temporary files with malicious executables that run with elevated privileges, potentially gaining administrative control over the system.
Likely Case
A local user with standard privileges could exploit this to gain administrative rights on their own system, enabling installation of malware, data theft, or persistence mechanisms.
If Mitigated
With proper access controls and monitoring, exploitation would be limited to authorized users who already have some level of system access, reducing the overall risk.
🎯 Exploit Status
Exploitation requires local authenticated access and knowledge of temporary file creation patterns. No public exploits have been reported as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.14.0
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000353093/dsa-2025-315
Restart Required: Yes
Instructions:
1. Download Dell SupportAssist OS Recovery version 5.5.14.0 or later from Dell's support site. 2. Run the installer with administrative privileges. 3. Follow the installation prompts. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Uninstall SupportAssist OS Recovery
windowsRemove the vulnerable software entirely if not required for system functionality.
Control Panel > Programs > Uninstall a program > Select 'Dell SupportAssist OS Recovery' > Uninstall
Restrict Local Access
windowsLimit local user accounts and implement strict access controls to reduce attack surface.
🧯 If You Can't Patch
- Implement strict least-privilege access controls to limit which users can log in locally
- Monitor for suspicious file creation/modification in temporary directories and implement application whitelisting
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Dell SupportAssist OS Recovery in Control Panel > Programs and Features. If version is below 5.5.14.0, the system is vulnerable.Check Version:
wmic product where "name like 'Dell SupportAssist OS Recovery%'" get versionVerify Fix Applied:
After updating, verify the version shows 5.5.14.0 or higher in Control Panel > Programs and Features.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation/modification in temporary directories by SupportAssist processes
- Multiple failed privilege escalation attempts followed by successful elevation
Network Indicators:
- No specific network indicators as this is a local vulnerability
SIEM Query:
EventID=4688 AND ProcessName LIKE '%SupportAssist%' AND CommandLine LIKE '%temp%'