CVE-2025-24378
Published: 28 March 2025
Summary
CVE-2025-24378 is a high-severity OS Command Injection (CWE-78) vulnerability in Dell Unity Operating Environment. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation and neutralization of special elements in inputs to system commands.
Ensures timely remediation of the specific command injection flaw through patching as detailed in Dell's security advisory.
Limits the impact of privilege escalation from exploited command injection by enforcing least privilege for local low-privileged accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) allows low-privileged local attacker to achieve arbitrary command execution leading to privilege escalation, directly mapping to T1068 (Exploitation for Privilege Escalation) and T1059.004 (Unix Shell) for command execution on the Linux-based Dell Unity system.
NVD Description
Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation…
more
of privileges.
Deeper analysisAI
CVE-2025-24378 is an Improper Neutralization of Special Elements used in an OS Command vulnerability, classified under CWE-78, affecting Dell Unity versions 5.4 and prior. This OS command injection flaw allows malicious input to alter intended command execution within the storage system's operating environment.
A low-privileged attacker with local access can exploit this vulnerability to achieve arbitrary command execution and privilege escalation. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability in a local context with low complexity and no user interaction required.
Dell has issued security advisory DSA-2025-116, detailing a security update for Dell Unity, Dell UnityVSA, and Dell Unity XT to remediate multiple vulnerabilities, including CVE-2025-24378. Practitioners should consult the advisory at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities for patch deployment and mitigation guidance.
Details
- CWE(s)