CVE-2024-0154 [Low] | Out-of-bounds Read in Poweredge R660 Firmware

Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an improper parameter initialization vulnerability. A local low privileged attacker could potentially exploit this vulnerability to read the contents of non-SMM stack memory.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-11-21	0.05%	0.09%	+0.04%
2	2025-11-18	0.09%	0.05%	-0.04%
3	2025-04-20	—	0.09%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-11-21

0.05%

0.09%

+0.04%

2025-11-18

0.09%

0.05%

-0.04%

2025-04-20

—

0.09%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
3.8	3.1	LOW	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	2.0	1.4	[email protected]
3.3	3.1	LOW	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	1.8	1.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

3.8

3.1

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

2.0

1.4

[email protected]

3.3

3.1

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

1.8

1.4

[email protected]

Affected software / configurations for CVE-2024-0154

Vendor	Product	Version	Raw CPE
dell	poweredge_r660_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_r660_firmware::::::::
dell	poweredge_r760_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_r760_firmware::::::::
dell	poweredge_c6620_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_c6620_firmware::::::::
dell	poweredge_mx760c_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_mx760c_firmware::::::::
dell	poweredge_r860_firmware	< 1.8.0	cpe:2.3:o:dell:poweredge_r860_firmware::::::::
dell	poweredge_r960_firmware	< 1.8.0	cpe:2.3:o:dell:poweredge_r960_firmware::::::::
dell	poweredge_hs5610_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_hs5610_firmware::::::::
dell	poweredge_hs5620_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_hs5620_firmware::::::::
dell	poweredge_r660xs_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_r660xs_firmware::::::::
dell	poweredge_r760xs_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_r760xs_firmware::::::::
dell	poweredge_r760xd2_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_r760xd2_firmware::::::::
dell	poweredge_t560_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_t560_firmware::::::::
dell	poweredge_r760xa_firmware	< 2.0.0	cpe:2.3:o:dell:poweredge_r760xa_firmware::::::::
dell	poweredge_xe9680_firmware	< 1.8.0	cpe:2.3:o:dell:poweredge_xe9680_firmware::::::::
dell	poweredge_xr5610_firmware	< 1.8.0	cpe:2.3:o:dell:poweredge_xr5610_firmware::::::::
dell	poweredge_xr8610t_firmware	< 1.8.0	cpe:2.3:o:dell:poweredge_xr8610t_firmware::::::::
dell	poweredge_xr8620t_firmware	< 1.8.0	cpe:2.3:o:dell:poweredge_xr8620t_firmware::::::::
dell	poweredge_xr7620_firmware	< 1.8.0	cpe:2.3:o:dell:poweredge_xr7620_firmware::::::::
dell	poweredge_xe8640_firmware	< 1.8.0	cpe:2.3:o:dell:poweredge_xe8640_firmware::::::::
dell	poweredge_xe9640_firmware	< 1.8.0	cpe:2.3:o:dell:poweredge_xe9640_firmware::::::::
dell	poweredge_r6615_firmware	< 1.7.2	cpe:2.3:o:dell:poweredge_r6615_firmware::::::::
dell	poweredge_r7615_firmware	< 1.7.2	cpe:2.3:o:dell:poweredge_r7615_firmware::::::::
dell	poweredge_r6625_firmware	< 1.7.2	cpe:2.3:o:dell:poweredge_r6625_firmware::::::::
dell	poweredge_r7625_firmware	< 1.7.2	cpe:2.3:o:dell:poweredge_r7625_firmware::::::::
dell	poweredge_c6615_firmware	< 1.2.3	cpe:2.3:o:dell:poweredge_c6615_firmware::::::::
dell	poweredge_r650_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_r650_firmware::::::::
dell	poweredge_r750_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_r750_firmware::::::::
dell	poweredge_r750xa_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_r750xa_firmware::::::::
dell	poweredge_c6520_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_c6520_firmware::::::::
dell	poweredge_mx750c_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_mx750c_firmware::::::::
dell	poweredge_r550_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_r550_firmware::::::::
dell	poweredge_r450_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_r450_firmware::::::::
dell	poweredge_r650xs_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_r650xs_firmware::::::::
dell	poweredge_r750xs_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_r750xs_firmware::::::::
dell	poweredge_t550_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_t550_firmware::::::::
dell	poweredge_xr11_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_xr11_firmware::::::::
dell	poweredge_xr12_firmware	< 1.13.2	cpe:2.3:o:dell:poweredge_xr12_firmware::::::::
dell	poweredge_xr4510c_firmware	< 1.14.1	cpe:2.3:o:dell:poweredge_xr4510c_firmware::::::::
dell	poweredge_xr4520c_firmware	< 1.14.1	cpe:2.3:o:dell:poweredge_xr4520c_firmware::::::::
dell	poweredge_t150_firmware	< 1.9.1	cpe:2.3:o:dell:poweredge_t150_firmware::::::::
dell	poweredge_t350_firmware	< 1.9.1	cpe:2.3:o:dell:poweredge_t350_firmware::::::::
dell	poweredge_r250_firmware	< 1.9.1	cpe:2.3:o:dell:poweredge_r250_firmware::::::::
dell	poweredge_r350_firmware	< 1.9.1	cpe:2.3:o:dell:poweredge_r350_firmware::::::::
dell	poweredge_r6515_firmware	< 2.14.1	cpe:2.3:o:dell:poweredge_r6515_firmware::::::::
dell	poweredge_r6525_firmware	< 2.14.1	cpe:2.3:o:dell:poweredge_r6525_firmware::::::::
dell	poweredge_r7515_firmware	< 2.14.1	cpe:2.3:o:dell:poweredge_r7515_firmware::::::::
dell	poweredge_r7525_firmware	< 2.14.1	cpe:2.3:o:dell:poweredge_r7525_firmware::::::::
dell	poweredge_c6525_firmware	< 2.14.1	cpe:2.3:o:dell:poweredge_c6525_firmware::::::::
dell	poweredge_xe8545_firmware	< 2.14.1	cpe:2.3:o:dell:poweredge_xe8545_firmware::::::::
dell	poweredge_r740_firmware	< 2.21.2	cpe:2.3:o:dell:poweredge_r740_firmware::::::::
dell	poweredge_r740xd_firmware	< 2.21.2	cpe:2.3:o:dell:poweredge_r740xd_firmware::::::::
dell	poweredge_r640_firmware	< 2.21.2	cpe:2.3:o:dell:poweredge_r640_firmware::::::::
dell	poweredge_r940_firmware	< 2.21.2	cpe:2.3:o:dell:poweredge_r940_firmware::::::::
dell	poweredge_r540_firmware	< 2.21.1	cpe:2.3:o:dell:poweredge_r540_firmware::::::::
dell	poweredge_r440_firmware	< 2.21.1	cpe:2.3:o:dell:poweredge_r440_firmware::::::::
dell	poweredge_t440_firmware	< 2.21.1	cpe:2.3:o:dell:poweredge_t440_firmware::::::::
dell	poweredge_xr2_firmware	< 2.21.1	cpe:2.3:o:dell:poweredge_xr2_firmware::::::::
dell	poweredge_r740xd2_firmware	< 2.21.1	cpe:2.3:o:dell:poweredge_r740xd2_firmware::::::::
dell	poweredge_r840_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_r840_firmware::::::::
dell	poweredge_r940xa_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_r940xa_firmware::::::::
dell	poweredge_t640_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_t640_firmware::::::::
dell	poweredge_c6420_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_c6420_firmware::::::::
dell	poweredge_fc640_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_fc640_firmware::::::::
dell	poweredge_m640_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_m640_firmware::::::::
dell	poweredge_m640_\(pe_vrtx\)_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_m640_\(pe_vrtx\)_firmware::::::::
dell	poweredge_mx740c_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_mx740c_firmware::::::::
dell	poweredge_mx840c_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_mx840c_firmware::::::::
dell	poweredge_c4140_firmware	< 2.21.1	cpe:2.3:o:dell:poweredge_c4140_firmware::::::::
dell	dss_8440_firmware	< 2.21.0	cpe:2.3:o:dell:dss_8440_firmware::::::::
dell	poweredge_xe2420_firmware	< 2.21.1	cpe:2.3:o:dell:poweredge_xe2420_firmware::::::::
dell	poweredge_xe7420_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_xe7420_firmware::::::::
dell	poweredge_xe7440_firmware	< 2.21.0	cpe:2.3:o:dell:poweredge_xe7440_firmware::::::::
dell	poweredge_t140_firmware	< 2.16.0	cpe:2.3:o:dell:poweredge_t140_firmware::::::::
dell	poweredge_t340_firmware	< 2.16.0	cpe:2.3:o:dell:poweredge_t340_firmware::::::::
dell	poweredge_r240_firmware	< 2.16.0	cpe:2.3:o:dell:poweredge_r240_firmware::::::::
dell	poweredge_r340_firmware	< 2.16.0	cpe:2.3:o:dell:poweredge_r340_firmware::::::::
dell	poweredge_r730_firmware	< 2.19.0	cpe:2.3:o:dell:poweredge_r730_firmware::::::::
dell	poweredge_r730xd_firmware	< 2.19.0	cpe:2.3:o:dell:poweredge_r730xd_firmware::::::::
dell	poweredge_r630_firmware	< 2.19.0	cpe:2.3:o:dell:poweredge_r630_firmware::::::::
dell	poweredge_c4130_firmware	< 2.19.0	cpe:2.3:o:dell:poweredge_c4130_firmware::::::::

References for CVE-2024-0154

URL	Tags
https://www.dell.com/support/kbdoc/en-us/000222898/dsa-2024-034-security-update-for-dell-poweredge-server-bios-for-an-improper-parameter-initialization-vulnerability	Vendor Advisory

URL

CVE-2024-0154

Exploit prediction scoring system (EPSS) score for CVE-2024-0154

Common vulnerability scoring system (CVSS) metrics for CVE-2024-0154

Weakness enumeration for CVE-2024-0154

Affected software / configurations for CVE-2024-0154

References for CVE-2024-0154