{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24502", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-01-23T06:07:21.817Z", "datePublished": "2026-03-03T20:43:18.570Z", "dateUpdated": "2026-03-04T04:55:39.757Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Dell Command | Intel vPro Out of Band", "vendor": "Dell", "versions": [{"lessThan": "4.7.0", "status": "affected", "version": "N/A", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dell would like to thank Sandro Poppi for reporting this issue."}], "datePublic": "2026-03-03T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Dell Command | Intel vPro Out of Band, versions prior to 4.7.0, contain an Uncontrolled Search Path Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges."}], "value": "Dell Command | Intel vPro Out of Band, versions prior to 4.7.0, contain an Uncontrolled Search Path Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-03-03T20:43:18.570Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000429179/dsa-2026-106"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-24502"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T04:55:39.757Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T21:01:48.266629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T21:01:51.580Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Dell would like to thank Sandro Poppi for reporting this issue."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "Dell Command | Intel vPro Out of Band", "versions": [{"status": "affected", "version": "N/A", "lessThan": "4.7.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-03T18:00:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000429179/dsa-2026-106", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Dell Command | Intel vPro Out of Band, versions prior to 4.7.0, contain an Uncontrolled Search Path Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.", "supportingMedia": [{"type": "text/html", "value": "Dell Command | Intel vPro Out of Band, versions prior to 4.7.0, contain an Uncontrolled Search Path Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-03-03T20:43:18.570Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24502", "state": "PUBLISHED", "dateUpdated": "2026-03-04T04:55:39.757Z", "dateReserved": "2026-01-23T06:07:21.817Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-03-03T20:43:18.570Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:command_\\|_intel_vpro_out_of_band:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5865161-3DF4-4A49-93BE-8829428BB868", "versionEndExcluding": "4.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Command | Intel vPro Out of Band, versions prior to 4.7.0, contain an Uncontrolled Search Path Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges."}], "id": "CVE-2026-24502", "lastModified": "2026-03-05T21:25:08.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "security_alert@emc.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-03T21:15:58.240", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000429179/dsa-2026-106"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.7.0)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "Dell Command | Intel vPro Out of Band", "source": "cna", "vendor": "Dell"}, "product": "command_|_intel_vpro_out_of_band", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-16T13:58:44.878147+00:00", "value": {"mitigation_remediation": ["Install the latest Dell Command\u202f|\u202fIntel vPro Out of Band update (4.7.0 or newer) to remove the uncontrolled search path element flaw.", "Verify that the PATH environment variable used by the product contains only trusted, system\u2011owned directories and does not include locations writable by ordinary users.", "Apply the principle of least privilege to local accounts, limiting their permissions so that even if they exploit the flaw, the damage is contained."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The issue affects Dell Command\u202f|\u202fIntel vPro Out of Band on Dell systems, specifically all releases earlier than version\u202f4.7.0. The vulnerability is tied to the component that processes the PATH variable during operation, and the affected binaries are distributed with the Dell Command product suite.", "description_and_impact": "Dell Command\u202f|\u202fIntel vPro Out of Band versions earlier than 4.7.0 suffer from an uncontrolled search path element vulnerability (CWE\u2011427). The flaw allows a local attacker with limited privileges to influence the search path used by the software, potentially enabling the execution of malicious code under higher authority. Exploitation would result in local privilege escalation, granting the attacker greater access to system resources.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity, while the EPSS of less than 1\u202f% suggests low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly known exploitable variants have been reported. An attacker must have physical or local administrative access, so the attack vector is local. If the software remains unpatched, a local user could bypass restrictions, gaining elevated privileges and potentially accessing or modifying sensitive data."}}}}, "created": "2026-03-04T14:53:54.327094+00:00", "title": "Local Privilege Escalation via Uncontrolled Search Path Element in Dell Command\u202f|\u202fIntel vPro Out of Band", "updated": "2026-04-16T14:00:19.505074+00:00", "vendors": ["dell", "dell$PRODUCT$command_|_intel_vpro_out_of_band"]}