CVE-2023-32450

Vulnerability

Dell Power Manager versions 3.3 through 3.14 contain an improper access control vulnerability. A low-privileged malicious user may exploit this flaw to perform arbitrary code execution with limited access. The vulnerability is present in the software component and does not require any special configuration beyond a standard installation [1].

Exploitation

An attacker with low-privileged local access can exploit this vulnerability without user interaction. The attack complexity is low, meaning the attacker can reliably trigger the code execution path. No network access is required; the attacker must already have a foothold on the system with limited privileges [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with limited access, potentially leading to a high availability impact (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H). Confidentiality impact is low, and integrity impact is none. The scope remains unchanged, meaning the attacker cannot escape the security context of the affected application [1].

Mitigation

Dell has released version 3.15 of Dell Power Manager on 2023-07-26 to remediate this vulnerability. Users should update to version 3.15 or later via the Dell support driver page [1]. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.