Introduction
Remote attackers can execute arbitrary operating system commands on unpatched Dell Unity storage systems, putting enterprise data and infrastructure at risk. This vulnerability, tracked as CVE-2025-36604, affects Dell Unity, UnityVSA, and Unity XT platforms running version 5.5 and earlier, and is part of a cluster of critical issues disclosed in Dell Security Advisory DSA-2025-281.
About Dell Unity: Dell Technologies is a leading global IT vendor with a strong presence in enterprise storage, servers, and networking. The Unity product line is a widely deployed midrange storage solution used by thousands of organizations worldwide to support business-critical workloads and virtualized environments.
Technical Information
CVE-2025-36604 is an OS Command Injection vulnerability caused by improper neutralization of special elements in command construction. The flaw exists in Dell Unity, UnityVSA, and Unity XT systems running version 5.5 and prior. Attackers with remote network access can exploit the vulnerability by sending crafted input containing shell metacharacters or command separators to vulnerable endpoints. The vulnerable components do not sufficiently validate or sanitize user-supplied input before passing it to the operating system for command execution. As a result, arbitrary commands can be executed with the privileges of the affected service.
Key technical points:
- Vulnerability type: OS Command Injection (CWE-78)
- Attack vector: Remote network access
- Authentication: Not required
- Complexity: Low
- Impact: Arbitrary OS command execution
- Root cause: Insufficient input validation and sanitization in components processing user input for system commands
No public code snippets or proof of concept have been released for this vulnerability. Exploitation would typically involve sending specially crafted requests to management interfaces or service endpoints exposed by the affected Unity systems.
Patch Information
Dell Technologies has released a critical security update for Dell Unity, UnityVSA, and Unity XT systems to address multiple vulnerabilities, including CVE-2025-36604. (Dell Security Advisory DSA-2025-281)
Remediation Steps:
- Upgrade to Dell Unity Operating Environment (OE) version 5.5.1 or later.
- Verify your current OE version via the management interface.
- Download the latest OE version from the Dell Unity Drivers & Downloads page.
- Follow official installation instructions and confirm the update is successful.
- Review system logs and user access controls regularly.
By applying this update, organizations can mitigate the risk of exploitation for CVE-2025-36604 and related vulnerabilities.
Affected Systems and Versions
- Dell Unity, UnityVSA, and Unity XT systems running Operating Environment (OE) version 5.5 and all prior versions are vulnerable.
- All configurations of these products with OE version 5.5 or earlier are affected.
- Systems upgraded to OE version 5.5.1 or later are not vulnerable to this issue.
Vendor Security History
Dell Technologies regularly publishes security advisories for its storage and infrastructure products. Previous advisories have addressed similar input validation and command injection issues in management interfaces and system utilities. Dell typically provides timely patches and detailed remediation guidance for disclosed vulnerabilities. The Unity platform has seen multiple advisories in recent years, reflecting both its widespread deployment and the ongoing need for robust security practices in enterprise storage environments.