CVE-2025-22395 · Dell Update Package Framework, versions prior to 22.01.02, contain(s) a Local Privilege Escalation Vulnerability.

01 · The Real Story

This is a spare key hidden inside the maintenance cart, not a front-door lock pick

CVE-2025-22395 is a local privilege-escalation flaw in Dell Update Package (DUP) Framework affecting versions before 22.01.02. Dell says a local low-privileged attacker can abuse the framework and reach arbitrary remote script execution on the server, with possible denial of service. The advisory and workaround strongly narrow the path: the risk is tied to Microsoft Windows use of the DUP Extract option in vulnerable package files, while Dell explicitly says to avoid that workflow and use command-line extraction instead until updated.

Dell's 8.2/HIGH score overstates enterprise urgency because it prices in full impact after compromise, not the friction before compromise. This is not an unauthenticated remote bug, not an internet-facing service bug, and not a broad wormable update agent flaw; it is a post-initial-access, local, user-interaction-dependent abuse case in a maintenance utility that many servers will only touch during update workflows. The impact is real once an attacker is already on the box, but the reachable population is much smaller than the CVSS headline implies.

"Vendor says HIGH; reality says niche post-compromise LPE with a very specific Windows extract workflow."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Gain a foothold on the target host

The attacker first needs local code execution as a low-privileged user on a Windows system where a vulnerable DUP file is present. There is no network entry here; this CVE only matters after phishing, stolen credentials, an agent abuse path, or another local execution route has already succeeded. *Weaponized tool:* whatever delivered the initial foothold, not a public CVE-2025-22395 exploit kit.

Conditions required:

Attacker has interactive or scripted local execution on the host
A vulnerable Dell DUP package with file version below 22.01.02 exists on disk or is staged for maintenance
The affected environment is using Microsoft Windows

Where this breaks in practice:

This is already post-compromise
Many enterprises do not leave old DUP executables lying around on every endpoint
Linux-only estates and non-Dell estates are out of scope

Detection/coverage: EDR should already see the initial foothold. Vulnerability scanners can inventory vulnerable DUP file versions, but they will not prove exploitability unless they also find the file locally.

STEP 02

Trigger the vulnerable extract workflow

The attacker has to reach the Windows Extract option path on the vulnerable package. Dell's own workaround is unusually revealing here: avoid using Extract in Windows for versions below 22.01.02, and use command-line extraction instead. *Weaponized tool:* the DUP GUI/interactive extraction path itself; no public PoC or named exploit framework was found.

Conditions required:

The attacker can invoke the vulnerable package in interactive Windows mode
The specific extraction workflow is available and used
User interaction is possible, matching Dell's CVSS UI:R rating

Where this breaks in practice:

This is a niche maintenance workflow, not a background listener
Silent update pipelines using alternate methods may never hit the bad path
Enterprises with software allowlisting can constrain ad hoc package execution

Detection/coverage: Process creation telemetry can catch suspicious launches of Dell update executables from temp paths, user profiles, downloads, or remote admin shares. Traditional network scanners have no coverage here.

STEP 03

Abuse permission handling to jump privilege

Once the vulnerable path is reached, the flaw in permission/privilege handling can let a low-privileged user pivot into elevated script execution under a more privileged context. That is the real danger: turning a constrained local account into a host-level control point through trusted update tooling. *Weaponized tool:* custom abuse of the vulnerable extraction/runtime path; no public commodity exploit was located.

Conditions required:

The vulnerable code path is reachable on that host
The host allows the package to run and extract
Security tooling does not block the abnormal child process or script execution

Where this breaks in practice:

Modern EDR can flag a trusted updater unexpectedly spawning script interpreters
Application control can block unsigned or anomalous child processes
The bug appears narrowly tied to DUP framework behavior rather than all Dell management software

Detection/coverage: Watch for *.exe Dell update packages spawning cmd.exe, powershell.exe, wscript.exe, or script engines, especially from user-writeable extraction locations.

STEP 04

Use elevated execution for persistence or disruption

After privilege gain, an attacker can alter the host, run follow-on tooling, or deliberately break services. On servers, the blast radius is the single compromised host unless that host already has privileged management reach into broader infrastructure. *Weaponized tool:* follow-on post-exploitation tooling such as PowerShell, service creation, credential dumping, or ransomware staging.

Conditions required:

Privilege escalation succeeds
The host contains data, credentials, or admin paths worth abusing

Where this breaks in practice:

Impact is primarily host-local unless the server is itself an admin pivot
Segmentation and PAM reduce downstream blast radius
There is no direct mass-exploitation path from the internet

Detection/coverage: EDR and Windows event telemetry should detect post-escalation behaviors better than they detect the flaw itself.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative evidence of active exploitation found in the sources reviewed. This CVE is not present in the CISA KEV catalog search results reviewed.
PoC availability	No public GitHub PoC, Metasploit module, or named exploit repo was found during review. That does not make it safe, but it does remove a major amplifier.
EPSS	User-supplied EPSS is 0.00128 (~0.13%), which is low and consistent with a niche local-only abuse path. Percentile was not independently verified from a primary source in this review.
KEV status	Not KEV-listed as of the CISA catalog page reviewed. No federal urgent-exploitation signal is present.
CVSS vector reality check	Vendor CVSS is `AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H`: the important parts are local, low privileges required, and user interaction required. That is a classic sign of post-compromise severity inflation when read by patch teams.
Affected versions	Affected product is Dell Update Package (DUP) Framework before 22.01.02. NVD also models the vulnerable range as `update_package_framework` versions up to but excluding `22.01.02`.
Fixed version and vendor workaround	Dell remediates in 22.01.02 or later. Temporary control: on Microsoft Windows, do not use the vulnerable package Extract option for versions below 22.01.02; use command-line extraction instead.
Exposure / scanning reality	There is no meaningful Shodan/Censys/GreyNoise-style internet census for this issue because DUP is a self-contained executable update package, not a listening network service. Exposure is about where the files are staged and who can run them, not about open ports. That conclusion is inferred from Dell's product documentation and the local attack vector.
Disclosure and attribution	Dell published the advisory on 2025-01-06 and the user-supplied disclosure date is 2025-01-07. Dell credits Gee-netics for reporting the issue.
Scoring discrepancy	Dell CNA scores this 8.2/HIGH with `UI:R`, while NVD shows a separate 7.8/HIGH enrichment vector with `UI:N`. For defenders, Dell's own workaround and advisory language make the workflow-specific, user-interaction-dependent interpretation more credible.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.3/10)

The decisive factor is attacker position: this bug starts at local low-privileged code execution, which means the attacker is already on the host before this CVE matters. The second major drag is reachability: Dell's own mitigation points to a specific Windows Extract workflow, sharply narrowing how often real enterprise deployments will ever expose the vulnerable path.

HIGH This is a **post-initial-access** vulnerability, not an initial-access vulnerability

MEDIUM The vulnerable path is **narrow and workflow-dependent** based on Dell's workaround wording

MEDIUM No active exploitation or public PoC materially reduces urgency

Why this verdict

Start from vendor 8.2, then cut hard for attacker position: AV:L + PR:L means the attacker already has a foothold on the box. For a 10,000-host estate, that is not patch-everything-now territory by itself.
Cut again for reachability: Dell's workaround specifically calls out the Windows Extract option on vulnerable package files. That implies the dangerous path is not the default exposure model for every system merely running Dell hardware.
Cut again for population size: DUP is an update package/executable used in maintenance workflows, not a permanently exposed service. Internet-facing reach is effectively nil, and many hosts will never execute the vulnerable path.
Cut a little back up for impact: if the path is reachable, a low-privileged user can turn that into elevated execution on a server. Host compromise impact is real, especially on management or admin-jump systems.
No exploitation amplifier: no KEV listing, no authoritative in-the-wild reporting, and no public exploit tooling were found. That removes the strongest reasons to stay in HIGH.

Why not higher?

This is not remotely reachable, not unauthenticated, and not broad-spectrum across all Dell operations. The chain requires local access, low privileges, and apparently a specific interactive Windows extraction workflow, which compounds the friction and materially limits the exposed population.

Why not lower?

Once an attacker is already on the host, this can still become a real privilege-escalation event with full host impact. On sensitive servers or management nodes, host-local LPEs are never free: they can break containment, defeat least privilege, and turn a small foothold into durable control.

05 · Compensating Control

What to do — in priority order.

Block vulnerable DUP execution from user-writeable paths — Use AppLocker, WDAC, or equivalent allowlisting so Dell update executables cannot be launched from %TEMP%, %USERPROFILE%, downloads, or ad hoc admin shares. This narrows the reachable path immediately; for a MEDIUM verdict there is no mitigation SLA, but this is still worth doing on admin workstations and server maintenance jump boxes before the 365-day remediation window closes.
Ban the Windows GUI Extract workflow for old DUPs — Until all staged packages are at 22.01.02+, standardize on Dell's safer workaround: do not use the Windows Extract option on vulnerable package versions, and use approved command-line methods instead. This directly suppresses the path Dell itself identified; for MEDIUM, there is no mitigation SLA, so prioritize it where Dell package handling is common.
Purge old DUP packages from repositories and shares — Search software shares, SCCM/ConfigMgr content libraries, Intune package sources, golden images, and admin toolkits for DUP files with version below 22.01.02 and remove them. This reduces accidental reachability and cuts the attack surface at scale before patching every endpoint.
Hunt for updater-child-process abuse — Create detections for Dell update executables spawning powershell.exe, cmd.exe, wscript.exe, or other script engines, especially from user-writeable extraction folders. This is the best operational tripwire because exploit behavior is more visible than the underlying flaw.
Tighten local admin and interactive logon rights — Because the vulnerability is local and post-compromise, reducing who can log on interactively to servers and who can stage packages locally meaningfully lowers risk. Focus first on jump boxes, management servers, and shared admin endpoints.

What doesn't work

A perimeter firewall does not help because this is not a network-facing service vulnerability.
External ASM / internet scanning does not help much because there is no routable service signature to discover.
MFA alone does not mitigate the flaw once an attacker already has local execution on the host.
Generic patch deferral based only on 'local bugs are low risk' is too simplistic; this can still be meaningful on privileged server-management systems.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host, on a package repository share, or from an auditor workstation that can read the relevant files. Invoke it with powershell -ExecutionPolicy Bypass -File .\Test-DellDUP-CVE-2025-22395.ps1 -Path 'C:\Temp\DellPackages' or point -Path at a single DUP .exe; administrator rights are not required for read-only checks, but you need file-system access to the target path.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# Test-DellDUP-CVE-2025-22395.ps1

# Checks Dell Update Package (DUP) executables for vulnerable framework versions prior to 22.01.02.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)]
    [string]$Path
)

function Convert-ToVersion {
    param([string]$Value)
    if ([string]::IsNullOrWhiteSpace($Value)) { return $null }

    # Extract the first numeric version-looking token, e.g. 22.01.02 or 22.01.02.00

    $m = [regex]::Match($Value, '(\d+)(\.\d+){1,3}')
    if (-not $m.Success) { return $null }

    $parts = $m.Value.Split('.')
    while ($parts.Count -lt 4) { $parts += '0' }
    try {
        return [version]::new([int]$parts[0],[int]$parts[1],[int]$parts[2],[int]$parts[3])
    } catch {
        return $null
    }
}

$fixed = [version]'22.1.2.0'
$results = @()

try {
    if (-not (Test-Path -LiteralPath $Path)) {
        Write-Output 'UNKNOWN - path not found'
        exit 2
    }

    $item = Get-Item -LiteralPath $Path -ErrorAction Stop
    if ($item.PSIsContainer) {
        $files = Get-ChildItem -LiteralPath $Path -Recurse -File -Include *.exe -ErrorAction SilentlyContinue
    } else {
        $files = @($item)
    }

    foreach ($file in $files) {
        try {
            $vi = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($file.FullName)
            $productName = $vi.ProductName
            $desc = $vi.FileDescription
            $fileVersionRaw = $vi.FileVersion
            $productVersionRaw = $vi.ProductVersion

            $isDellDup = $false
            if ($productName -match 'Dell Update Package' -or $desc -match 'Dell Update Package' -or $file.Name -match '^[A-Z0-9_\-]+_A\d+.*\.exe$') {
                $isDellDup = $true
            }

            if (-not $isDellDup) { continue }

            $ver = Convert-ToVersion $productVersionRaw
            if (-not $ver) { $ver = Convert-ToVersion $fileVersionRaw }

            if (-not $ver) {
                $results += [pscustomobject]@{
                    Path = $file.FullName
                    Version = ($productVersionRaw, $fileVersionRaw -ne $null ? $productVersionRaw : $fileVersionRaw) -join ' '
                    Status = 'UNKNOWN'
                    Reason = 'Could not parse version'
                }
                continue
            }

            if ($ver -lt $fixed) {
                $results += [pscustomobject]@{
                    Path = $file.FullName
                    Version = $ver.ToString()
                    Status = 'VULNERABLE'
                    Reason = 'Version is prior to 22.01.02'
                }
            } else {
                $results += [pscustomobject]@{
                    Path = $file.FullName
                    Version = $ver.ToString()
                    Status = 'PATCHED'
                    Reason = 'Version is 22.01.02 or later'
                }
            }
        } catch {
            $results += [pscustomobject]@{
                Path = $file.FullName
                Version = ''
                Status = 'UNKNOWN'
                Reason = $_.Exception.Message
            }
        }
    }

    if (-not $results -or $results.Count -eq 0) {
        Write-Output 'UNKNOWN - no candidate Dell DUP executables found at the supplied path'
        exit 2
    }

    $results | Sort-Object Status, Path | Format-Table -AutoSize | Out-String | Write-Output

    if ($results.Status -contains 'VULNERABLE') {
        Write-Output 'VULNERABLE'
        exit 1
    }

    if ($results.Status -contains 'PATCHED' -and -not ($results.Status -contains 'VULNERABLE')) {
        Write-Output 'PATCHED'
        exit 0
    }

    Write-Output 'UNKNOWN'
    exit 2
} catch {
    Write-Output ('UNKNOWN - ' + $_.Exception.Message)
    exit 2
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like a fleetwide emergency just because the vendor said HIGH. First, inventory where vulnerable DUP files below 22.01.02 are actually staged, especially on Windows server admin boxes, package repositories, SCCM/Intune content stores, and jump hosts; because this is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window unless your environment heavily uses the vulnerable Windows Extract workflow. In practice, remove or block old DUP packages and standardize on Dell's command-line workaround where needed, then replace vulnerable packages with 22.01.02+ under the noisgate remediation SLA of ≤365 days; if you find these packages on high-value admin systems, do that cleanup in your next normal maintenance cycle rather than letting them linger all year.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.