CVE-2025-22472
Published: 17 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-22472 is a command injection vulnerability (CWE-77) in Dell SmartFabric OS10 Software, affecting versions 10.5.4.x, 10.5.5.x, 10.5.6.x, and 10.6.0.x. The flaw stems from improper neutralization of special elements used in a command, which can allow arbitrary command execution. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
A low-privileged attacker with local access to the system can exploit this vulnerability. Successful exploitation enables the execution of arbitrary commands with elevated privileges, potentially allowing full compromise of the affected OS10 instance.
Dell has addressed this issue through multiple security advisories, including DSA-2025-070, DSA-2025-069, DSA-2025-079, and DSA-2025-068, available at the referenced KB documents. These updates provide patches and mitigation guidance for vulnerable OS10 versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection (CWE-77) in OS10 directly enables arbitrary command execution with elevated privileges from local low-privileged access, mapping to T1068 (Exploitation for Privilege Escalation) and T1059.004 (Unix Shell) for command interpreter abuse.