DSA-2025-281: Security Update for Dell Unity, Dell UnityVSA and Dell Unity XT Security Update for Multiple Vulnerabilities
Résumé: Dell UnityVSA and Dell Unity XT remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Impact
High
Détails
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-36604 | Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution. | 7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| CVE-2025-36605 |
Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. |
6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2025-36606 | Dell Unity, version(s) 5.5 and prior, contain(s) an OS Command Injection Vulnerability in its svc_nfssupport utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2025-36607 | Dell Unity, version(s) 5.5 and prior, contain(s) an OS Command Injection Vulnerability in its svc_nas utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-36604 | Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution. | 7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| CVE-2025-36605 |
Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. |
6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVE-2025-36606 | Dell Unity, version(s) 5.5 and prior, contain(s) an OS Command Injection Vulnerability in its svc_nfssupport utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2025-36607 | Dell Unity, version(s) 5.5 and prior, contain(s) an OS Command Injection Vulnerability in its svc_nas utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Produits concernés et mesure corrective
| Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
| Dell Unity | Dell Unity Operating Environment (OE) | Versions prior to 5.5.1 | Version 5.5.1 or later | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
| Dell Unity | Dell Unity Operating Environment (OE) | Versions prior to 5.5.1 | Version 5.5.1 or later | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
Historique des révisions
| Revision | Date | Description |
| 1.0 | 2025-07-31 | Initial Release |
| 2.0 | 2025-07-31 | Updated the Acknowledgements section |
Remerciements
CVE-2025-36604, CVE-2025-36605: Dell would like to thank Sina Kheirkhah of watchTowr for reporting this issue.
CVE-2025-36606: Dell would like to thank xiaohei from Ubisectech Sirius Team for reporting this issue.
CVE-2025-36607: Dell would like to thank zzcentury from Ubisectech Sirius Team for reporting this issue.