CVE-2025-24383
Published: 28 March 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2025-24383 is an OS command injection vulnerability (CWE-78) affecting Dell Unity storage systems in versions 5.4 and prior. The flaw stems from improper neutralization of special elements used in an OS command, allowing malicious input to execute arbitrary commands. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and lack of prerequisites for exploitation.
An unauthenticated attacker with remote network access can exploit this vulnerability to delete arbitrary files on the targeted system. Successful exploitation enables deletion of critical system files with root privileges, potentially disrupting storage operations, causing denial of service, or leading to data loss through targeted file removal.
Dell's security advisory (DSA-2025-116) recommends that customers upgrade affected Dell Unity, UnityVSA, and Unity XT systems at the earliest opportunity to mitigate the vulnerability, as detailed in the knowledge base article at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection in public-facing Dell Unity storage system enables remote unauthenticated exploitation (T1190), arbitrary command execution via Unix shell (T1059.004), and targeted file deletion for data destruction (T1485).