Cyber Resilience

CVE-2025-24378

High

Published: 28 March 2025

Published
28 March 2025
Modified
08 July 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 41.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24378 is a high-severity OS Command Injection (CWE-78) vulnerability in Dell Unity Operating Environment. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24378 is an Improper Neutralization of Special Elements used in an OS Command vulnerability, classified under CWE-78, affecting Dell Unity versions 5.4 and prior. This OS command injection flaw allows malicious input to alter intended command execution within the storage system's operating environment.

A low-privileged attacker with local access can exploit this vulnerability to achieve arbitrary command execution and privilege escalation. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability in a local context with low complexity and no user interaction required.

Dell has issued security advisory DSA-2025-116, detailing a security update for Dell Unity, Dell UnityVSA, and Dell Unity XT to remediate multiple vulnerabilities, including CVE-2025-24378. Practitioners should consult the advisory at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities for patch deployment and mitigation guidance.

EU & UK References

Vulnerability details

Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation…

more

of privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection (CWE-78) allows low-privileged local attacker to achieve arbitrary command execution leading to privilege escalation, directly mapping to T1068 (Exploitation for Privilege Escalation) and T1059.004 (Unix Shell) for command execution on the Linux-based Dell Unity system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23383Same product: Dell Unity Operating Environment
CVE-2026-22277Same product: Dell Unity Operating Environment
CVE-2025-24380Same product: Dell Unity Operating Environment
CVE-2025-24386Same product: Dell Unity Operating Environment
CVE-2024-49564Same product: Dell Unity Operating Environment
CVE-2025-24379Same product: Dell Unity Operating Environment
CVE-2024-49563Same product: Dell Unity Operating Environment
CVE-2024-49565Same product: Dell Unity Operating Environment
CVE-2025-24385Same product: Dell Unity Operating Environment
CVE-2026-21418Same product: Dell Unity Operating Environment

Affected Assets

dell
unity operating environment
≤ 5.5.0.0.5.259

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation and neutralization of special elements in inputs to system commands.

prevent

Ensures timely remediation of the specific command injection flaw through patching as detailed in Dell's security advisory.

prevent

Limits the impact of privilege escalation from exploited command injection by enforcing least privilege for local low-privileged accounts.

References