CVE-2024-49565

Vulnerability

Dell Unity versions 5.4 and prior contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [1]. This flaw exists in a component that processes user-supplied input without proper sanitization, allowing an attacker to inject arbitrary OS commands. The vulnerability is present in Dell Unity, Dell UnityVSA, and Dell Unity XT systems [1].

Exploitation

An attacker with low-privileged local access can exploit this vulnerability by providing specially crafted input to an affected command or script [1]. The attacker does not require any additional privileges beyond a low-privileged account on the system. The exploitation does not require user interaction or network access, as it is a local attack vector [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands with elevated privileges, leading to full compromise of the affected system [1]. This can result in unauthorized data access, modification, or deletion, as well as potential lateral movement within the network.

Mitigation

Dell has released a security update (DSA-2025-116) to address this vulnerability [1]. Users are strongly advised to apply the update to Dell Unity, Dell UnityVSA, and Dell Unity XT systems running version 5.4 or earlier. No workarounds are provided; the only mitigation is to install the fixed version [1].