CVE-2025-24386
Published: 28 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24386 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Dell Unity storage systems in versions 5.4 and prior. This flaw allows malicious input to alter the intended behavior of OS commands executed by the system.
A low-privileged attacker with local access can exploit this vulnerability to achieve arbitrary command execution and privilege escalation. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability in a local attack scenario with low complexity and no user interaction required.
Dell has issued security advisory DSA-2025-116, detailing a security update for Dell Unity, Dell UnityVSA, and Dell Unity XT to remediate multiple vulnerabilities, including CVE-2025-24386. Security practitioners should consult the advisory at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities and apply the recommended patches promptly.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection enables arbitrary command execution via Unix shell (T1059.004) and is exploited for privilege escalation (T1068) from local low-privileged access.