CVE-2025-24377
Published: 28 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-24377, published on 2025-03-28, is an Improper Neutralization of Special Elements used in an OS Command vulnerability, classified under CWE-78, affecting Dell Unity versions 5.4 and prior. This OS command injection flaw carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
A low-privileged attacker with local access to the system could exploit this vulnerability to execute arbitrary code and elevate privileges, potentially gaining higher-level control over the affected Dell Unity instance.
Dell's security advisory DSA-2025-116 provides a security update addressing this and multiple other vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT, available at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection (CWE-78) directly enables arbitrary command execution (T1059) by a local low-privileged attacker, which is exploited for privilege escalation (T1068).