CVE-2025-26336
Published: 21 March 2025
Summary
CVE-2025-26336 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Dell Chassis Management Controller For Poweredge Fx2 Firmware. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely application of the vendor-recommended firmware updates to remediate the stack-based buffer overflow vulnerability.
Implements memory protection mechanisms such as stack canaries, ASLR, and DEP to prevent exploitation of the stack-based buffer overflow leading to remote code execution.
Enforces input validation and bounds checking to directly counter the buffer overflow vulnerability triggered by unauthenticated remote inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote stack-based buffer overflow in network-accessible Chassis Management Controller firmware directly enables exploitation of a public-facing application for unauthenticated remote code execution.
NVD Description
Dell Chassis Management Controller Firmware for Dell PowerEdge FX2, version(s) prior to 2.40.200.202101130302, and Dell Chassis Management Controller Firmware for Dell PowerEdge VRTX version(s) prior to 3.41.200.202209300499, contain(s) a Stack-based Buffer Overflow vulnerability. An unauthenticated attacker with remote access could…
more
potentially exploit this vulnerability, leading to Remote execution.
Deeper analysisAI
CVE-2025-26336 is a Stack-based Buffer Overflow vulnerability (CWE-121, CWE-787) affecting Dell Chassis Management Controller Firmware for Dell PowerEdge FX2 in versions prior to 2.40.200.202101130302 and for Dell PowerEdge VRTX in versions prior to 3.41.200.202209300499. Published on 2025-03-21, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H), indicating high severity due to its potential for significant impact.
An unauthenticated attacker with remote network access can exploit this vulnerability, which requires user interaction to trigger. Successful exploitation could lead to remote code execution, granting high confidentiality impact, low integrity impact, and high availability impact without changing scope.
Dell's security advisory DSA-2025-123 addresses this issue and related vulnerabilities in the Chassis Management Controller Firmware. It recommends updating to version 2.40.200.202101130302 or later for PowerEdge FX2 and 3.41.200.202209300499 or later for PowerEdge VRTX. Full details are available at https://www.dell.com/support/kbdoc/en-us/000297463/dsa-2025-123-security-update-for-dell-chassis-management-controller-firmware-for-dell-poweredge-fx2-and-vrtx-vulnerabilities.
Details
- CWE(s)