CVE-2025-46363
📋 TL;DR
Dell Secure Connect Gateway (SCG) versions 5.26.00.00 through 5.30.00.00 contain a relative path traversal vulnerability in a REST API endpoint used for internal collection downloads. If this API is enabled by an administrator, a low-privileged attacker with remote access could potentially access restricted resources. This affects SCG 5.0 Application and Appliance deployments.
💻 Affected Systems
- Dell Secure Connect Gateway (SCG) 5.0 Application
- Dell Secure Connect Gateway (SCG) 5.0 Appliance
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could access sensitive system files, configuration data, or other restricted resources, potentially leading to further system compromise or data exfiltration.
Likely Case
Limited access to internal files or configuration data that could be used for reconnaissance or to facilitate other attacks.
If Mitigated
No impact if the vulnerable REST API is disabled or proper access controls prevent exploitation.
🎯 Exploit Status
Requires low-privileged remote access and the vulnerable REST API to be enabled. Path traversal techniques would need to be crafted against the specific endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.31.00.00 or later
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000385239/dsa-2025-386-security-update-for-dell-secure-connect-gateway-rest-api
Restart Required: No
Instructions:
1. Download the latest SCG version (5.31.00.00 or later) from Dell Support. 2. Follow Dell's upgrade documentation for your deployment type (Application or Appliance). 3. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable vulnerable REST API
allDisable the internal collection download REST API in the SCG administrative interface if it is not required.
Navigate to SCG Admin UI > Configuration > REST API settings > Disable internal collection download endpoint
🧯 If You Can't Patch
- Ensure the vulnerable REST API is disabled in the SCG administrative interface.
- Implement network segmentation to restrict access to SCG management interfaces to authorized administrators only.
🔍 How to Verify
Check if Vulnerable:
Check SCG version in administrative interface. If version is between 5.26.00.00 and 5.30.00.00 inclusive, and the internal collection download REST API is enabled, the system is vulnerable.Check Version:
Check version in SCG web administrative interface under System Information or similar section.Verify Fix Applied:
Verify SCG version is 5.31.00.00 or later in administrative interface.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to the internal collection download REST API endpoint
- Failed path traversal attempts in web server logs
Network Indicators:
- HTTP requests containing path traversal sequences (../) to SCG REST API endpoints
SIEM Query:
source="scg_logs" AND (uri="*../*" OR method="GET" AND uri="*/api/internal/collection/download*")