CVE-2025-43939: Dell Unity OS Command Injection (High)

Short summary

A command injection flaw in Dell Unity OS (versions 5.4 and earlier) lets a low-privileged local user execute system commands and escalate privileges. Classified High (CVSS 7.8), the bug stems from improper input handling of OS command elements. While it requires local access, compromise of a support/maintenance account or shell access on an affected array could lead to full system control.

Key details

• Affected: Dell Unity OS ≤ 5.4
• Impact: Arbitrary command execution → privilege escalation
• Severity: 7.8 (High)
• Published: 30 Oct 2025

Risk to environments

Attackers who gain local foothold on a storage array (e.g., via weak credentials or chained bugs) can abuse this to run commands with elevated rights, threatening data availability and integrity.

Mitigation / actions

• Apply the vendor’s fixed release as soon as available.
• Temporarily harden access: disable unused local accounts, enforce MFA on management paths, restrict SSH/CLI access to trusted admins and IPs, and increase auditing of command activity.
• Monitor for unusual shell/CLI usage and privilege changes on Unity systems.