CVE-2025-24379

Vulnerability

Dell Unity, UnityVSA, and Unity XT running version 5.4 and prior contain an OS command injection vulnerability (CVE-2025-24379) in the product's management interface. The software fails to properly neutralize special elements used in OS commands, allowing an attacker to inject arbitrary commands into a system call. Affected versions are those prior to the security update released in DSA-2025-116 [1].

Exploitation

An attacker must have low-privileged local access to the Dell Unity system, meaning they already possess a valid account with minimal permissions on the appliance. No additional network-based authentication is required beyond local shell or UI access. The attacker can craft input containing shell metacharacters that are passed unsanitized to an OS command, which then executes with elevated privileges. The exact sequence of steps is not detailed in the available references, but the vulnerability class is a standard OS command injection [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands on the underlying system, leading to full command execution and elevation of privileges. This can result in complete compromise of the Unity storage appliance, including unauthorized access to stored data, disruption of storage services, and potential pivot to other systems on the network. The impact is rated Critical by Dell [1].

Mitigation

Dell has released a security update as part of DSA-2025-116. The advisory recommends upgrading to a fixed version of Dell Unity OE (Operating Environment). The specific fixed version number is not provided in the available reference, but customers should apply the latest Unity OE update from Dell's support site. No workaround is documented; applying the patch is the only mitigation. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog at this time.