CVE-2025-43991 is a vulnerability classified under CWE-61, involving UNIX symbolic link (symlink) following in Dell SupportAssist software for Home and Business PCs. The flaw arises because the software improperly handles symbolic links when performing file operations, allowing a low privileged local attacker to create or manipulate symlinks to point to arbitrary files. When SupportAssist follows these symlinks, it may delete files that the attacker targets, leading to unauthorized file deletion. This vulnerability does not require user interaction but does require local access with low privileges, and the attack complexity is high due to the need to create specific symlink conditions. The vulnerability affects SupportAssist versions 4.8.2 and earlier for Home PCs and 4.5.3 and earlier for Business PCs. The CVSS v3.1 score of 6.3 reflects a medium severity, with attack vector local (AV:L), attack complexity high (AC:H), privileges required low (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and high availability impact (A:H). No patches or exploits are currently publicly available, but the vulnerability poses a risk to system integrity and availability by enabling deletion of arbitrary files, potentially disrupting system operations or causing data loss. Organizations relying on Dell SupportAssist for system maintenance should be aware of this vulnerability and prepare to apply patches once released.

For European organizations, this vulnerability could lead to unauthorized deletion of critical files on endpoints running affected Dell SupportAssist versions. This impacts system integrity and availability, potentially causing downtime, data loss, or disruption of IT support functions. Since the exploit requires local access, insider threats or compromised user accounts pose the greatest risk. Organizations with remote or hybrid workforces using Dell laptops or desktops with SupportAssist installed are particularly vulnerable. The impact is more severe in sectors with strict data integrity requirements such as finance, healthcare, and government. Additionally, disruption of endpoint support tools could delay remediation of other issues, compounding operational risks. Although no exploits are currently known in the wild, the presence of this vulnerability increases the attack surface and could be leveraged in targeted attacks or by malware with local access capabilities.

1. Monitor Dell's official channels for patches addressing CVE-2025-43991 and apply updates promptly once available. 2. Restrict local access to systems running Dell SupportAssist to trusted users only, employing strict access controls and endpoint security measures. 3. Implement application whitelisting and endpoint protection solutions to detect and prevent unauthorized creation or manipulation of symbolic links. 4. Regularly audit file system permissions and monitor for unusual file deletion activities or symlink creations indicative of exploitation attempts. 5. Consider temporarily disabling or uninstalling SupportAssist on non-critical systems if patching is delayed and local access cannot be sufficiently controlled. 6. Educate users about the risks of local privilege misuse and enforce strong authentication and session management policies to reduce insider threat risks. 7. Employ system integrity monitoring tools to detect unexpected changes to critical files or directories. These steps go beyond generic advice by focusing on controlling local access, monitoring symlink activity, and preparing for patch deployment.