CVE-2024-22426

Dell RecoverPoint for Virtual Machines 5.3.x, 6.0.SP1 contains an OS Command injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary operating system commands, which will get executed in the context of the root user, resulting in a complete system compromise.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000222133/dsa-2024-092-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities	Vendor Advisory
https://www.dell.com/support/kbdoc/en-us/000222133/dsa-2024-092-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities	Vendor Advisory
https://www.dell.com/support/kbdoc/en-us/000228154/dsa-2024-369-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dell:recoverpoint_for_virtual_machines:6.0:sp1::::::
	cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp2_p2::::::
	cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp2_p4::::::
	cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp3_p1::::::
	cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp3_p2::::::
	cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp2_p1::::::
	cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp2::::::

History

23 Jan 2025, 16:50

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CWE	~~CWE-434~~	CWE-78
First Time		Dell Dell recoverpoint For Virtual Machines
References	~~() https://www.dell.com/support/kbdoc/en-us/000228154/dsa-2024-369-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities -~~	() https://www.dell.com/support/kbdoc/en-us/000228154/dsa-2024-369-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities - Vendor Advisory
References	~~() https://www.dell.com/support/kbdoc/en-us/000222133/dsa-2024-092-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities -~~	() https://www.dell.com/support/kbdoc/en-us/000222133/dsa-2024-092-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities - Vendor Advisory
CPE		cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp2_p1:::::: cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp2:::::: cpe:2.3:a:dell:recoverpoint_for_virtual_machines:6.0:sp1:::::: cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp2_p4:::::: cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp3_p1:::::: cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp2_p2:::::: cpe:2.3:a:dell:recoverpoint_for_virtual_machines:5.3:sp3_p2::::::

29 Aug 2024, 13:15

Type	Values Removed	Values Added
References		() https://www.dell.com/support/kbdoc/en-us/000228154/dsa-2024-369-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities -
Summary	Dell RecoverPoint for Virtual Machines 5.3.x contains an OS Command injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary operating system commands, which will get executed in the context of the root user, resulting in a complete system compromise.	Dell RecoverPoint for Virtual Machines 5.3.x, 6.0.SP1 contains an OS Command injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary operating system commands, which will get executed in the context of the root user, resulting in a complete system compromise.

16 Feb 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-16 12:15

Updated : 2025-01-23 16:50

NVD link : CVE-2024-22426

Mitre link : CVE-2024-22426

JSON object : View

Products Affected

dell

recoverpoint_for_virtual_machines

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

9.8 /10