CVE-2025-24386
Published: 28 March 2025
Summary
CVE-2025-24386 is a high-severity OS Command Injection (CWE-78) vulnerability in Dell Unity Operating Environment. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses improper neutralization of special elements in OS commands by requiring validation and sanitization of user inputs to prevent command injection.
Requires timely remediation of the specific OS command injection flaw through vendor patching as detailed in Dell's security advisory.
Enforces least privilege to limit the scope and impact of privilege escalation resulting from successful command injection by low-privileged local attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection enables arbitrary command execution via Unix shell (T1059.004) and is exploited for privilege escalation (T1068) from local low-privileged access.
NVD Description
Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation…
more
of privileges.
Deeper analysisAI
CVE-2025-24386 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting Dell Unity storage systems in versions 5.4 and prior. This flaw allows malicious input to alter the intended behavior of OS commands executed by the system.
A low-privileged attacker with local access can exploit this vulnerability to achieve arbitrary command execution and privilege escalation. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability in a local attack scenario with low complexity and no user interaction required.
Dell has issued security advisory DSA-2025-116, detailing a security update for Dell Unity, Dell UnityVSA, and Dell Unity XT to remediate multiple vulnerabilities, including CVE-2025-24386. Security practitioners should consult the advisory at https://www.dell.com/support/kbdoc/en-us/000300090/dsa-2025-116-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities and apply the recommended patches promptly.
Details
- CWE(s)