CVE-2025-36604
Published: 04 August 2025
Summary
CVE-2025-36604 is a high-severity OS Command Injection (CWE-78) vulnerability in Dell Unity Operating Environment. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Dell Unity versions 5.5 and prior are affected by an OS command injection vulnerability tracked as CVE-2025-36604 and CWE-78. The flaw stems from improper neutralization of special elements in operating system commands and carries a CVSS 3.1 base score of 7.3.
An unauthenticated attacker with remote network access can exploit the issue to execute arbitrary commands on the affected system, obtaining limited impacts to confidentiality, integrity, and availability without requiring user interaction.
Dell’s advisory DSA-2025-281 recommends applying the vendor-supplied security updates for Dell Unity, UnityVSA, and Unity XT to address multiple vulnerabilities including this one. Public technical analyses and proof-of-concept material have also been published by watchTowr Labs.
The EPSS score for the CVE rose from a low baseline to a peak of 0.2116, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23501
Vulnerability details
Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in network-accessible Dell Unity appliance enables remote unauthenticated arbitrary command execution (T1190) and direct use of command interpreters (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the OS command injection vulnerability by requiring timely application of the vendor-provided security update from Dell's advisory DSA-2025-281.
Prevents exploitation of the improper neutralization of special elements in OS commands by enforcing validation of all relevant information inputs to neutralize injection attempts.
Limits the attack surface for unauthenticated remote exploitation by monitoring and controlling network communications at external boundaries to the vulnerable Dell Unity management interface.