CVE-2025-24378

Vulnerability

Dell Unity, Dell UnityVSA, and Dell Unity XT systems running version 5.4 and prior contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [1]. The flaw resides in a component that fails to properly sanitize user-supplied input before passing it to an operating system command. A low-privileged attacker with local access can leverage this to inject arbitrary commands.

Exploitation

An attacker needs local access to the affected system and a low-privileged account. No additional authentication or user interaction beyond obtaining local shell access is required. The attacker can craft a malicious input that, when processed by the vulnerable component, results in the execution of arbitrary operating system commands with the privileges of the affected service [1].

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands, leading to command execution and elevation of privileges [1]. This can result in full compromise of the affected system, including unauthorized access to sensitive data, modification of system configurations, and potential lateral movement within the network.

Mitigation

Dell has released a security update to address this vulnerability. Affected customers should apply the fix provided in DSA-2025-116 for Dell Unity, Dell UnityVSA, and Dell Unity XT [1]. The update is available through Dell's support portal. There are no known workarounds; applying the patch is the recommended course of action.