CVE-2025-24382
Published: 28 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-24382 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Dell Unity versions 5.4 and prior. Published on 2025-03-28, the vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.
An unauthenticated attacker with remote network access can exploit this vulnerability to achieve arbitrary command execution on the affected system, potentially compromising confidentiality, integrity, and availability with low impact in each category.
Dell has issued security advisory DSA-2025-116, detailing a security update addressing multiple vulnerabilities, including this one, in Dell Unity, Dell UnityVSA, and Dell Unity XT. For mitigation details, refer to https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection (CWE-78) in network-accessible Dell Unity management interface enables remote unauthenticated arbitrary command execution, directly mapping to exploitation of public-facing applications (T1190) and Unix shell command execution (T1059.004).