CVE-2025-38747 is a vulnerability classified under CWE-378, which pertains to the creation of temporary files with insecure permissions. This issue exists in Dell SupportAssist OS Recovery software versions prior to 5.5.14.0. The vulnerability allows a local attacker who has authenticated access to the system to exploit the insecure file permissions on temporary files created by the software. Because these temporary files are created with overly permissive access rights, an attacker could manipulate or replace these files to execute arbitrary code or escalate their privileges on the system. The vulnerability affects confidentiality, integrity, and availability, as unauthorized code execution or privilege escalation can lead to data breaches, system compromise, or denial of service. The CVSS v3.1 base score is 7.8, reflecting a high severity level, with attack vector limited to local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and unchanged scope (S:U). Although no exploits have been reported in the wild yet, the vulnerability poses a significant risk due to the critical nature of OS recovery tools and their elevated privileges during operation. The lack of available patches at the time of reporting necessitates immediate attention to mitigation strategies.

The vulnerability enables local authenticated attackers to escalate privileges, potentially gaining administrative or SYSTEM-level access. This can lead to unauthorized access to sensitive data, modification or deletion of critical system files, and disruption of system availability. Since SupportAssist OS Recovery operates with elevated privileges during recovery processes, exploitation could allow attackers to compromise the entire system, bypass security controls, and maintain persistence. Organizations relying on Dell SupportAssist OS Recovery for system recovery and maintenance are at risk of significant operational disruption and data breaches. The impact is especially critical in environments where multiple users have local access or where endpoint security is lax. Additionally, compromised systems could serve as footholds for lateral movement within enterprise networks, increasing the overall risk posture.

Organizations should immediately verify the version of Dell SupportAssist OS Recovery installed and plan to upgrade to version 5.5.14.0 or later once available. Until patches are released, restrict local user access to systems running vulnerable versions and enforce the principle of least privilege to limit authenticated user capabilities. Implement strict file system permissions and monitor temporary file creation directories for unauthorized modifications or suspicious activity. Employ endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of privilege escalation attempts. Additionally, consider disabling or uninstalling SupportAssist OS Recovery on systems where it is not essential. Regularly audit and harden local user accounts and group memberships to reduce the attack surface. Finally, maintain robust logging and alerting to quickly identify and respond to potential exploitation attempts.