CVE-2025-46684
📋 TL;DR
Dell SupportAssist OS Recovery versions before 5.5.15.1 create temporary files with insecure permissions, allowing local low-privileged attackers to modify those files. This could lead to information tampering where attackers alter system recovery data. Only Dell systems with vulnerable SupportAssist OS Recovery installed are affected.
💻 Affected Systems
- Dell SupportAssist OS Recovery
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could tamper with recovery files to install persistent malware, corrupt system recovery processes, or escalate privileges by manipulating temporary files used by privileged processes.
Likely Case
Local low-privileged user modifies temporary files to disrupt system recovery operations or cause denial of service during recovery attempts.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary file manipulation that doesn't affect core system operations.
🎯 Exploit Status
Exploitation requires local access and low privileges. The vulnerability involves predictable temporary file handling that could be manipulated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.15.1
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456
Restart Required: Yes
Instructions:
1. Open Dell SupportAssist OS Recovery. 2. Check for updates in the application settings. 3. Download and install version 5.5.15.1 or later. 4. Restart the system to complete installation.
🔧 Temporary Workarounds
Disable SupportAssist OS Recovery
windowsTemporarily disable the vulnerable component until patching is possible
Uninstall via Control Panel > Programs and Features > Dell SupportAssist OS Recovery
Restrict local access
allLimit local user access to systems with vulnerable software
🧯 If You Can't Patch
- Implement strict local access controls and monitor for unauthorized local user activity
- Disable or remove Dell SupportAssist OS Recovery from critical systems
🔍 How to Verify
Check if Vulnerable:
Check Dell SupportAssist OS Recovery version in Control Panel > Programs and Features. If version is below 5.5.15.1, system is vulnerable.Check Version:
wmic product where "name like 'Dell SupportAssist OS Recovery%'" get versionVerify Fix Applied:
Verify version is 5.5.15.1 or higher in Control Panel > Programs and Features after update.📡 Detection & Monitoring
Log Indicators:
- Unusual file modifications in temporary directories by low-privileged users
- Multiple failed recovery attempts in SupportAssist logs
Network Indicators:
- Not applicable - local vulnerability only
SIEM Query:
EventID=4663 AND ObjectName LIKE '%\Temp\%' AND SubjectUserName NOT IN (privileged_users) AND ProcessName LIKE '%SupportAssist%'