How ZeroPath Works
Back to Blog

Dell Unity CVE-2025-36607 OS Command Injection Vulnerability: Brief Summary and Patch Guidance

This post provides a brief summary of CVE-2025-36607, an OS command injection vulnerability in Dell Unity (versions 5.5 and prior) affecting the svc_nas utility. We cover technical details, affected versions, patch information, and vendor security history based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-04

Dell Unity CVE-2025-36607 OS Command Injection Vulnerability: Brief Summary and Patch Guidance
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An attacker with credentials to a Dell Unity storage system can escape the restricted shell and execute arbitrary commands as root. This vulnerability impacts the integrity and availability of enterprise storage environments running affected versions. Dell Unity is a widely deployed enterprise storage platform, serving thousands of organizations globally with critical data storage and management capabilities. The platform's reliability and security are central to the operations of many large enterprises and service providers.

Technical Information

CVE-2025-36607 is an OS command injection vulnerability in the svc_nas utility of Dell Unity Operating Environment, affecting versions 5.5 and prior. The root cause is improper neutralization of special elements used in OS commands (CWE-78). The vulnerability allows an authenticated attacker to supply crafted input to the svc_nas utility, which is then executed by the shell with root privileges. This enables the attacker to escape the restricted shell environment and run arbitrary commands as root on the underlying operating system.

The attack requires local access with valid credentials. Exploitation does not require user interaction and has low complexity once access is obtained. The vulnerability is not known to be remotely exploitable without authentication, but it could be chained with other vulnerabilities or credential compromise.

No public code snippets or exploit samples are available at this time. The vulnerability is closely related to other command injection issues recently disclosed in Dell Unity utilities, such as svc_nfssupport (CVE-2025-36606) and unauthenticated remote command injection in other components (CVE-2025-36604).

Patch Information

Dell Technologies has addressed multiple security vulnerabilities in Dell Unity, UnityVSA, and Unity XT systems by releasing an updated version of the Dell Unity Operating Environment (OE). (dell.com)

Key Updates in Version 5.5.1:

  • OS Command Injection Vulnerabilities:

    • CVE-2025-36604: Resolved an issue where unauthenticated remote attackers could execute arbitrary commands.
    • CVE-2025-36606 & CVE-2025-36607: Fixed vulnerabilities in the svc_nfssupport and svc_nas utilities that allowed authenticated users to escape the restricted shell and execute commands with root privileges.

  • Cross-Site Scripting (XSS) Vulnerability:

    • CVE-2025-36605: Addressed a flaw that permitted unauthenticated attackers to inject malicious scripts, potentially leading to information disclosure or session theft.

Recommendations:

To mitigate these vulnerabilities, it is crucial to upgrade to Dell Unity OE version 5.5.1 or later. The updated firmware is available for download on Dell's official support page. (dell.com)

Upgrade Steps:

  1. Backup Data: Ensure all critical data is backed up before initiating the upgrade.
  2. Review Release Notes: Familiarize yourself with the release notes to understand the changes and improvements.
  3. Download Firmware: Access the Dell support portal to download the latest firmware version.
  4. Follow Upgrade Procedures: Adhere to the official upgrade procedures provided by Dell to ensure a smooth transition.

By promptly applying this update, organizations can safeguard their systems against potential exploits targeting these vulnerabilities.

Affected Systems and Versions

  • Dell Unity Operating Environment versions 5.5 and prior
  • Affects all configurations where the svc_nas utility is present and accessible
  • Also relevant for Dell UnityVSA and Dell Unity XT systems running affected OE versions

Vendor Security History

Dell Unity has experienced a series of command injection vulnerabilities in 2025, including:

  • CVE-2025-36604: Unauthenticated remote OS command injection
  • CVE-2025-36606: Authenticated OS command injection in svc_nfssupport
  • CVE-2025-22398: Critical unauthenticated command execution vulnerability (March 2025)

Dell has responded with coordinated security advisories and timely patches, but the recurrence of similar vulnerabilities in core utilities suggests ongoing challenges in input validation and secure coding practices within the product line.

References

Detect & fix
what others miss

Get startedBook a demo