CVE-2025-24385

CVE-2025-24385 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Dell Unity versions 5.4 and prior. This flaw exists in the storage system's software, where special elements in OS commands are not properly sanitized, potentially allowing malicious input to alter command execution.

A low-privileged attacker with local access to the system can exploit this vulnerability. Successful exploitation could lead to arbitrary code execution and elevation of privileges, granting the attacker higher-level access on the affected Dell Unity system. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high impacts on confidentiality, integrity, and availability with low attack complexity and no user interaction required.

Dell has addressed this issue in DSA-2025-116, a security update for multiple vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT. Details and patches are available at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities.