LiveActive security incident?Get immediate response
CVE Record

CVE-2018-15778: DSA-2019-019: Dell Networking OS10 OS Command Injection Vulnerability

Dell OS10 versions prior to 10.4.2.1 contain a vulnerability caused by lack of proper input validation on the command-line interface (CLI).

HighCVSS 8.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Dell Networking OS10 before 10.4.2.1 has a command injection flaw in its CLI input handling. A low-privileged local user could potentially run operating system commands with serious confidentiality, integrity, and availability impact. This is high urgency for environments granting CLI access on Dell switches.

Executive priority

Prioritize remediation in network infrastructure programs because successful abuse could affect core switch confidentiality, integrity, and availability. Treat as high priority where CLI access is delegated beyond a small trusted administrator group.

Technical view

CVE-2018-15778 is an OS command injection issue caused by insufficient CLI input validation in Dell Networking OS10 versions prior to 10.4.2.1. CVSS 3.0 is 8.8 with local attack vector, low complexity, low privileges required, no user interaction, changed scope, and high CIA impact.

Likely exposure

Exposure is limited to Dell Networking OS10 systems running versions before 10.4.2.1. Risk is highest where non-admin or broadly shared accounts can access the OS10 CLI. The source bundle does not provide CPEs or a complete asset model.

Exploitation context

The provided sources do not support active exploitation. CISA KEV status is false in the bundle. Exploitation requires local access and low privileges, so this is not described as unauthenticated internet-facing remote exploitation.

Researcher notes

The source bundle identifies the vulnerable component only as the OS10 CLI and attributes the flaw to insufficient input validation. No CWE, exploit details, CPE list, or detection artifacts are provided, so validation should focus on version and access exposure.

Mitigation direction

  • Identify Dell Networking OS10 devices and record exact OS10 versions.
  • Upgrade systems running versions before 10.4.2.1 per Dell guidance.
  • Restrict CLI access to trusted administrators until remediation is complete.
  • Remove unnecessary low-privileged local accounts on affected devices.
  • Review Dell advisory for any environment-specific instructions.

Validation and detection

  • Confirm each Dell OS10 device reports version 10.4.2.1 or later.
  • Check whether low-privileged CLI users exist on affected systems.
  • Review administrative access controls for OS10 CLI entry points.
  • Verify remediation status against Dell advisory DSA-2019-019.
  • Document exceptions where upgrades cannot be completed promptly.
Prepared
Confidence
high
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2018-15778 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.8 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.8CVSS 3.0HighCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H26Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

8.8High
CVSS 3.0 vector shape for CVE-2018-15778Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
DellDell Networking OS1010.4.2.1Listed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.