CVE-2025-24383

Vulnerability

Dell Unity, Dell UnityVSA, and Dell Unity XT operating environment version(s) 5.4 and prior contain an improper neutralization of special elements used in an OS command injection vulnerability (CVE-2025-24383). The flaw resides in how the system handles certain inputs, failing to properly sanitize user-supplied data before using it in operating system commands. No authentication or special configuration is required to reach the vulnerable code path; the attack vector is remote network access.

Exploitation

An unauthenticated attacker with network access to the affected Dell Unity system can exploit this vulnerability by sending a specially crafted request containing OS command metacharacters. The lack of input validation allows the attacker to inject arbitrary operating system commands. The exploit does not require any user interaction or prior authentication.

Impact

Successful exploitation grants the attacker the ability to delete arbitrary files on the target system, including critical system files. Because the vulnerable component runs with root privileges, the attacker can delete any file on the system, potentially causing a denial of service or rendering the system inoperable. This is a confidentiality, integrity, and availability impact primarily affecting system availability and integrity.

Mitigation

Dell has released a security update to address this vulnerability and recommends customers upgrade at the earliest opportunity. The fixed version is not explicitly stated in the available references [1], but users should consult the Dell Security Advisory (DSA-2025-116) for the specific upgrade path. No workarounds are documented. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog.