The Dell UPS Multi‑UPS Management Console (MUMC) version 01.06.0001 (A03) implements an unquoted search path mechanism that is exploited by an attacker to direct the system to execute a malicious file that the attacker has placed in a writable directory on the system drive. This flaw falls under CWE‑428 and allows an attacker to run arbitrary code with SYSTEM privileges, thereby compromising confidentiality, integrity, and availability of the UPS system as well as any other services running on the same machine.

Systems running Dell Inc.’s UPS Multi‑UPS Management Console, specifically version 01.06.0001 (A03), are affected. No other Dell UPS software versions are listed as impacted in the available data. The vulnerability is tied to the console’s handling of unquoted paths during executable resolution on the system drive.

The CVSS score of 8.4 marks this flaw as high severity. The EPSS score being less than 1 % indicates a very low estimated exploitation probability at this time, and the vulnerability is not currently tracked in CISA’s KEV catalog. However, the attack requires a local user with write access to a system‑drive directory, so if such privileges are available, the exploitation is straightforward and the impact is immediate. The high privilege escalation potential warrants urgent attention, even though the likelihood of deployment in the wild remains low.