CVE-2025-46428
Published: 12 November 2025
Summary
CVE-2025-46428 is a high-severity Command Injection (CWE-77) vulnerability in Dell Smartfabric Os10. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-46428 is an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability, classified under CWE-77, in Dell SmartFabric OS10 Software versions prior to 10.6.1.0. Published on 2025-11-12, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact across confidentiality, integrity, and availability.
A low-privileged attacker with remote access can exploit this vulnerability, requiring low complexity and no user interaction. Successful exploitation enables arbitrary code execution on the affected system.
Dell security advisory DSA-2025-407, detailed at https://www.dell.com/support/kbdoc/en-us/000391062/dsa-2025-407-security-update-for-dell-networking-os10-vulnerabilities, addresses this and related OS10 vulnerabilities with recommended security updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-131943
Vulnerability details
Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in network device software enables exploitation of remote services (T1210), execution of arbitrary commands via network device CLI (T1059.008), and privilege escalation through RCE from low-privileged access (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the command injection flaw in Dell SmartFabric OS10 by applying vendor security updates as specified in DSA-2025-407.
Enforces validation and neutralization of special elements in command inputs to prevent exploitation of the CWE-77 command injection vulnerability.
Limits damage from low-privileged remote attacker code execution by enforcing least privilege on accounts with remote access.