Unrated severityNVD Advisory· Published Mar 28, 2025· Updated Feb 26, 2026

CVE-2025-24380

Description

Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A low-privileged local attacker can inject OS commands in Dell Unity 5.4 and prior, leading to command execution and privilege escalation.

Vulnerability

Dell Unity, Dell UnityVSA, and Dell Unity XT running version 5.4 and earlier contain an OS Command Injection vulnerability (CWE-78) due to improper neutralization of special elements used in OS commands [1]. A low-privileged attacker with local access can exploit this flaw to execute arbitrary operating system commands on the affected system [1]. The vulnerability exists in the product's management interface or supporting services where user-supplied input is passed unsanitized to a shell or command execution function.

Exploitation

To exploit this vulnerability, an attacker must have low-privileged local access to the Dell Unity system [1]. No network vector is described; the attacker requires interactive or scripted access to the local operating system or management console. The attacker then supplies specially crafted input containing OS command delimiters (e.g., semicolons, pipe characters, or backticks) to an affected input field or parameter. The application, failing to properly sanitize the input, passes it to an OS-level command interpreter, which executes the injected commands alongside the intended operation.

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands on the target Dell Unity system with the privileges of the vulnerable process [1]. This typically results in command execution and elevation of privileges, enabling the attacker to gain full administrative control over the storage system, read or modify sensitive data, disrupt storage services, or pivot to other network-connected systems.

Mitigation

Dell has released a security update to address this vulnerability. Customers are advised to apply the latest patch as described in Dell Security Advisory DSA-2025-116 [1]. For Dell Unity, UnityVSA, and Unity XT version 5.4 and prior, update to the fixed version provided by Dell. No workarounds are documented; upgrading is the recommended mitigation. If the system is end-of-life (EOL) and no patch is available, Dell recommends isolating the device from untrusted local users and networks.

References

DSA-2025-116: Security Update for Dell Unity, Dell UnityVSA and Dell Unity XT Security Update for Multiple Vulnerabilities

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sift/Unityllm-fuzzy
Range: <=5.4
Dell/Unity XTcpe-rescue
Range: N/A

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilitiesmitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000