CVE-2024-49564
Published: 28 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2024-49564 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Dell Unity versions 5.4 and prior. This flaw allows attackers to inject malicious commands into operating system calls due to inadequate input sanitization.
A low-privileged attacker with local access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables execution of arbitrary operating system commands with root privileges, leading to full privilege escalation and high impacts on confidentiality, integrity, and availability.
Dell has issued DSA-2025-116, a security update addressing this and multiple other vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT. Practitioners should consult the advisory at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities for patch details and mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection (CWE-78) with local low-priv access directly enables arbitrary command execution as root, mapping to T1068 for privilege escalation and T1059.004 for Unix shell command execution on the Linux-based Dell Unity system.