CVE-2025-22398
Published: 28 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-22398 is an Improper Neutralization of Special Elements used in an OS Command vulnerability, classified under CWE-78, affecting Dell Unity versions 5.4 and prior. This flaw allows special elements in OS commands to be inadequately sanitized, enabling injection attacks within the storage system's operating environment.
An unauthenticated attacker with remote network access can exploit this vulnerability due to its low attack complexity, lack of required privileges, and absence of user interaction, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants arbitrary command execution with root privileges, potentially resulting in full system takeover and complete compromise of the operating system.
Dell advisories, detailed in DSA-2025-116, recommend that customers upgrade affected Dell Unity systems at the earliest opportunity to mitigate this critical vulnerability. Further information is available at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection (CWE-78) in remotely accessible Dell Unity storage system enables unauthenticated remote code execution as root, directly mapping to exploitation of public-facing application (T1190) and Unix Shell command execution (T1059.004).