CVE-2024-49565
Published: 28 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2024-49565 is an OS Command Injection vulnerability (CWE-78) affecting Dell Unity storage systems in versions 5.4 and prior. The flaw stems from improper neutralization of special elements used in an OS command, allowing malicious input to alter command execution.
A low-privileged attacker with local access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables arbitrary command execution and privilege escalation, potentially granting full control over the affected system.
Dell has addressed this issue in DSA-2025-116, a security update for multiple vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT, available via the provided advisory at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities. Security practitioners should apply the patch promptly to mitigate risks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection vulnerability enables arbitrary command execution on a Linux-based system, directly facilitating T1068 for privilege escalation from low-privileged local access and T1059.004 for Unix shell command execution.