CVE-2025-24377

Vulnerability

The vulnerability is an OS command injection (CWE-78) in Dell Unity, Dell UnityVSA, and Dell Unity XT systems running versions 5.4 and prior [1]. An attacker can inject arbitrary operating system commands through improperly neutralized special elements within the application's input processing. No specific configuration or special conditions beyond local access are mentioned in the references.

Exploitation

An attacker with low privileges and local access to the Dell Unity system can exploit this vulnerability. The exact steps are not detailed in the available references, but the attacker likely sends crafted input to a vulnerable interface that passes the input unsanitized to a system shell [1]. No user interaction or race window is required other than having valid low-privileged credentials and local access.

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with elevated privileges. This leads to full compromise of the system: code execution and elevation of privileges from a low-privileged user to a higher privilege level, potentially administrative [1]. The confidentiality, integrity, and availability of the affected system are all at risk.

Mitigation

Dell has released a security update to address this vulnerability. The fix is included in the update documented in DSA-2025-116 [1]. Organizations should apply the recommended update as soon as possible. No workaround is provided. The product is not listed as EOL or on the CISA KEV catalog based on the references.