CVE-2025-23383
Published: 28 March 2025
Summary
CVE-2025-23383 is a high-severity OS Command Injection (CWE-78) vulnerability in Dell Unity Operating Environment. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses OS command injection by requiring validation and sanitization of special elements in inputs to OS commands.
Ensures timely remediation of the specific command injection flaw through patching as detailed in Dell's security advisory.
Limits the impact of arbitrary command execution and privilege escalation by enforcing least privilege for local low-privileged accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) directly enables arbitrary command execution via Unix shell (T1059.004) and privilege escalation (T1068) for local low-privileged attackers.
NVD Description
Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation…
more
of privileges.
Deeper analysisAI
CVE-2025-23383 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Dell Unity storage systems in versions 5.4 and prior. Published on 2025-03-28, this flaw allows special elements in OS commands to be inadequately sanitized, enabling malicious input to alter command execution.
A low-privileged attacker with local access can exploit CVE-2025-23383 to achieve arbitrary command execution and privilege escalation. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high impacts on confidentiality, integrity, and availability in a local attack scenario with low complexity and no user interaction required.
Dell's security advisory DSA-2025-116 details a security update addressing multiple vulnerabilities, including CVE-2025-23383, in Dell Unity, Dell UnityVSA, and Dell Unity XT systems. Security practitioners should review the advisory at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities for patch deployment and mitigation guidance.
Details
- CWE(s)