A security advisory released by Dell, DSA-2025-331, warrants immediate attention from any organization deploying Dell thin clients. It details a collection of four distinct vulnerabilities in ThinOS 10, the company’s purpose-built, locked-down operating system.
Four CVEs have been disclosed CVE-2025-43728, CVE-2025-43729, CVE-2025-43730, and CVE-2025-43882—describe flaws ranging from remote protection mechanism bypasses to local privilege escalation.
The standout issue, CVE-2025-43728, carries a CVSS v3.1 score of 9.6 (Critical). This flaw allows an unauthenticated, remote attacker to bypass ThinOS’s protection mechanisms and potentially execute code or compromise system integrity without valid credentials. In an enterprise scenario, a threat actor could compromise one ThinOS endpoint over the network—without valid credentials—and then use that foothold to attack backend Citrix or RDS sessions.
The remaining vulnerabilities, while requiring some degree of local access, are still dangerous in enterprise deployments where ThinOS devices often sit inside trusted corporate networks, directly handling remote desktop sessions and accessing sensitive backend infrastructure.
Local Escalation: CVE-2025-43730 (Argument Injection)
- Vector: Local, unauthenticated
- Impact: Elevation of privileges, information disclosure
- CVSS: 8.4 (High)
This vulnerability allows a local unauthenticated user to inject arguments into commands, effectively hijacking processes or invoking unintended system functions. In practice, this means an attacker who gains basic shell or local interface access could escalate to root or harvest sensitive session information.
On a thin client, where users generally lack administrative access, such a flaw can nullify Dell’s permission model. Attackers could exploit this to scrape cached credentials, manipulate VDI connections, or implant persistence.
Local Escalation: CVE-2025-43729 (Incorrect Permission Assignment)
- Vector: Local, low-privileged
- Impact: Elevation of privileges, unauthorized access
- CVSS: 7.8 (High)
This misconfiguration flaw grants insufficiently restricted access to critical resources. In many embedded OSes, incorrect permission assignment leads to scenarios where system files, device nodes, or IPC channels are accessible to non-privileged users. Exploitation allows low-privileged attackers to elevate rights or manipulate system behavior.
In real-world deployments, this could allow a malicious insider—or a remote actor who has already chained the remote bypass—to seize administrative control of the endpoint.
Local Escalation: CVE-2025-43882 (Unverified Ownership)
- Vector: Local, low-privileged
- Impact: Unauthorized access
- CVSS: 7.8 (High)
Here, ThinOS fails to verify ownership of resources. The practical effect is that attackers can impersonate other users or processes, gaining unauthorized access to data or system operations. When combined with the argument injection bug, it could yield a full local compromise.
The vulnerabilities in DSA-2025-331 align with recent attacker trends:
- Remote-to-local pivots: Exploiting unauthenticated vectors first, then chaining local flaws for privilege escalation.
- Supply chain and infrastructure targeting: Thin clients are part of the infrastructure layer. Compromise here enables access to critical apps and data without directly attacking hardened servers.
- Focus on protection bypasses: ThinOS is billed as a “locked-down” OS. Attackers are increasingly identifying and weaponizing flaws in such “protection mechanisms,” undermining assumptions of safety.
