CVE-2025-24380
Published: 28 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24380 is an OS Command Injection vulnerability (CWE-78) affecting Dell Unity storage systems in versions 5.4 and prior. The flaw stems from improper neutralization of special elements used in an OS command, allowing malicious input to alter command execution. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with low attack complexity for local, low-privileged users.
A low-privileged attacker with local access to the affected Dell Unity system could exploit this vulnerability to execute arbitrary OS commands and elevate privileges. Successful exploitation would grant the attacker higher-level access, potentially enabling full system compromise, data manipulation, or further lateral movement within the storage environment.
Dell has addressed this issue in security advisory DSA-2025-116, detailed in KB article 000300090, which provides updates for Dell Unity, Dell UnityVSA, and Dell Unity XT systems covering multiple vulnerabilities including CVE-2025-24380. Security practitioners should consult the advisory for patch deployment instructions and verify system versions against the affected range.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection vulnerability directly enables arbitrary command execution via Unix shell (T1059.004) and facilitates local privilege escalation (T1068) for low-privileged users.