CVE-2024-48831
Published: 17 March 2025
Summary
CVE-2024-48831 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Dell Smartfabric Os10. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 PE-3 (Physical Access Control) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the hard-coded password vulnerability by requiring timely identification, reporting, and patching of the flaw as per Dell's security advisory.
Prevents exploitation by an unauthenticated local attacker by enforcing physical access controls to the system required for the AV:L attack vector.
Addresses the root cause by requiring secure management of authenticators, prohibiting hard-coded passwords in software.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a hardcoded password vulnerability (CWE-259) that directly provides an unsecured credential within the software, enabling attackers with local access to locate and abuse it for unauthorized system access and full compromise.
NVD Description
Dell SmartFabric OS10 Software, version(s) 10.5.6.x, contain(s) a Use of Hard-coded Password vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.
Deeper analysisAI
CVE-2024-48831 is a Use of Hard-coded Password vulnerability (CWE-259) affecting Dell SmartFabric OS10 Software in versions 10.5.6.x. This flaw allows unauthorized access due to a hardcoded password within the software, earning a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts from a low-complexity local attack requiring no privileges.
An unauthenticated attacker with local access to the affected system could exploit this vulnerability to gain unauthorized access, potentially compromising the full system with high-impact privileges. The local attack vector (AV:L) means physical or adjacent network proximity is necessary, but no authentication (PR:N) or user interaction (UI:N) is required, making it feasible for attackers who achieve initial local positioning.
Dell’s security advisory DSA-2025-068, detailed at https://www.dell.com/support/kbdoc/en-us/000295014/dsa-2025-068-security-update-for-dell-networking-os10-vulnerabilities, provides guidance on the security update addressing this and related OS10 vulnerabilities, recommending affected users apply the patch to mitigate the risk.
Details
- CWE(s)