CVE-2024-49564
Published: 28 March 2025
Summary
CVE-2024-49564 is a high-severity OS Command Injection (CWE-78) vulnerability in Dell Unity Operating Environment. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates the OS command injection vulnerability by applying Dell's DSA-2025-116 security update to patch the improper input neutralization in Dell Unity.
Information input validation enforces proper sanitization of inputs to OS command functions, directly preventing command injection exploitation.
Least privilege limits the scope of low-privileged local access and enforces privilege separation, reducing the impact of successful command injection leading to root escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) with local low-priv access directly enables arbitrary command execution as root, mapping to T1068 for privilege escalation and T1059.004 for Unix shell command execution on the Linux-based Dell Unity system.
NVD Description
Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to execution of arbitrary operating…
more
system commands with root privileges and elevation of privileges.
Deeper analysisAI
CVE-2024-49564 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Dell Unity versions 5.4 and prior. This flaw allows attackers to inject malicious commands into operating system calls due to inadequate input sanitization.
A low-privileged attacker with local access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables execution of arbitrary operating system commands with root privileges, leading to full privilege escalation and high impacts on confidentiality, integrity, and availability.
Dell has issued DSA-2025-116, a security update addressing this and multiple other vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT. Practitioners should consult the advisory at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities for patch details and mitigation guidance.
Details
- CWE(s)