CVE-2023-28065: 
Dell Command Update vulnerability analysis and mitigation

Dell Command | Update, Dell Update, and Alienware Update versions 4.8.0 and prior contain an Insecure Operation on Windows Junction / Mount Point vulnerability identified as CVE-2023-28065. The vulnerability was discovered in March 2023 and publicly disclosed in June 2023. The affected software includes Dell Command | Update, Dell Update, and Alienware Update applications running on Windows systems (Dell Advisory).

The vulnerability is classified as an Insecure Operation on Windows Junction / Mount Point issue (CWE-1386, CWE-59). It has received a CVSS v3.1 base score of 7.3 HIGH from NIST NVD with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, while Dell assigned it a score of 6.7 MEDIUM with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H. The difference in scoring primarily relates to the attack complexity assessment (NVD).

If successfully exploited, this vulnerability could allow a local malicious user to escalate privileges on the affected system. The vulnerability affects confidentiality, integrity, and availability with high severity ratings across all three aspects (Dell Advisory).

Dell has released version 4.9.0 for all affected products as a security update to address this vulnerability. No workarounds are available, making it critical to update to the patched version. Updates are available for both Universal Windows Platform version and Windows 32/64-bit versions (Dell Advisory).

Dell Technologies acknowledged Marius Gabriel Mihai for reporting this security issue (Dell Advisory).