CVE-2024-49601
Published: 28 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-49601 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Dell Unity versions 5.4 and prior. This flaw exists in the storage system's software, where special elements in OS commands are not properly sanitized, potentially allowing malicious input to alter command execution.
An unauthenticated attacker with remote network access can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction, and without changing the scope of impact. Successful exploitation could lead to arbitrary command execution on the affected system, with low impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Dell has issued security advisory DSA-2025-116, which provides a security update addressing multiple vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT, including CVE-2024-49601. Practitioners should consult the advisory for patch deployment details and mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection in remotely accessible Dell Unity storage system enables unauthenticated remote arbitrary command execution, directly mapping to exploitation of public-facing applications.