Pre-Authentication Command Injection Vulnerability in Dell UnityVSA
Dell UnityVSA, the software-defined storage solution from Dell, has been found to contain a critical pre-authentication command injection vulnerability, tracked as CVE-2025-36604. This flaw allows attackers to execute arbitrary commands on affected systems without requiring authentication, significantly increasing the risk of unauthorized access and system compromise. The vulnerability arises from improper handling of login redirect URIs, where user-supplied input is directly concatenated into a command string executed by the system, specifically through Perl’s backtick operator in the getCASURL function. If an attacker crafts a request without the expected authentication cookie, the system’s login flow can be manipulated to inject shell metacharacters, enabling remote code execution. This could allow threat actors to alter system configurations, access or destroy sensitive data, deploy additional malicious scripts, or take full control of the UnityVSA appliance. The issue affects all UnityVSA versions prior to 5.5.1, with Dell’s advisory (DSA-2025-281) confirming that versions 5.5 and earlier are vulnerable. Dell has rated the vulnerability as 'High' severity (CVSS 7.3), but the National Vulnerability Database (NVD) suggests it could reach a 'Critical' rating (CVSS 9.8) under certain conditions. In addition to CVE-2025-36604, related vulnerabilities such as a cross-site scripting flaw (CVE-2025-36605) and other command injection risks in internal utilities have been identified, affecting both Unity and UnityVSA platforms. Security researchers at WatchTowr, who discovered the flaw, have released a Python-based 'Detection Artefact Generator' to help organizations identify vulnerable instances. Both Dell and WatchTowr strongly urge immediate upgrades to UnityVSA version 5.5.1 or later to mitigate the risk. Organizations are also advised to monitor for suspicious redirect URIs, shell executions, and unusual web access behaviors, even after patching. The vulnerability is particularly concerning due to the critical nature of storage systems, which often host sensitive and mission-critical data. Exploitation of this flaw could lead to significant operational disruption and data loss. The disclosure underscores the importance of timely patching and robust monitoring of storage infrastructure. Dell’s response includes detailed mitigation guidance and emphasizes the urgency of remediation. The security community has highlighted the exploit’s simplicity and the potential for widespread impact if left unaddressed. Organizations using UnityVSA should prioritize this update as part of their vulnerability management processes to prevent exploitation and safeguard their data assets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
WatchTowr publishes technical analysis and detection tooling for UnityVSA flaw
WatchTowr released an analysis showing that flawed login redirection handling in UnityVSA could allow unauthenticated arbitrary command execution by injecting a user-controlled redirect URI into a command string. The researchers also published a demonstration video and a Detection Artefact Generator to help identify vulnerable instances and verify remediation.
Dell discloses CVE-2025-36604 in UnityVSA and issues a fix
Dell advisory DSA-2025-281 disclosed an unauthenticated command-injection flaw in Dell UnityVSA, tracked as CVE-2025-36604, affecting version 5.5 and earlier. Dell recommended upgrading to version 5.5.1 or later to remediate this issue and other vulnerabilities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dell UnityVSA Unauthenticated Remote Command Injection Vulnerability (CVE-2025-36604)
A critical unauthenticated remote command injection vulnerability, tracked as CVE-2025-36604, was discovered in Dell UnityVSA, a software-defined storage solution that runs as a virtual machine on hypervisors such as VMware ESXi. Security researchers at watchTowr Labs identified and disclosed this vulnerability to Dell in March 2025, noting that it affected version 5.5.0.0.5.259 and likely earlier versions. The flaw allows attackers to execute arbitrary commands on the underlying operating system without authentication, posing a significant risk to organizations using UnityVSA for storage management. The vulnerability is particularly severe because UnityVSA often manages sensitive or business-critical data, making it a high-value target for threat actors seeking data exfiltration or ransomware deployment. Dell responded by releasing security advisories and patches addressing not only CVE-2025-36604 but also a total of 14 pre-auth command injection vulnerabilities in the UnityVSA product line. The exposure of such vulnerabilities in storage appliances highlights the ongoing risks associated with software-defined infrastructure and the need for timely patch management. The ProjectDiscovery community contributed a Nuclei detection template for CVE-2025-36604, enabling security teams to scan their environments for vulnerable UnityVSA instances. During the template's development, maintainers noted the importance of refining detection matchers to reduce false positives, as initial scans produced results on honeypot targets. The template was iteratively improved to ensure reliable identification of affected systems. The vulnerability's pre-authentication nature means that attackers do not require valid credentials, increasing the urgency for organizations to apply patches and restrict network access to management interfaces. Security advisories and technical write-ups provided detailed guidance on identifying vulnerable versions and implementing mitigations. The incident underscores the importance of proactive vulnerability research and coordinated disclosure between security researchers and vendors. Organizations leveraging Dell UnityVSA are strongly advised to review their deployments, apply the latest security updates, and monitor for signs of exploitation. The rapid community response, including the creation and validation of detection templates, demonstrates the value of open-source security tooling in addressing emerging threats. The case also serves as a reminder for storage and infrastructure teams to prioritize the security of virtual appliances, which are increasingly targeted by sophisticated attackers. Dell's multi-vulnerability disclosure and the subsequent industry response highlight the evolving landscape of storage security and the need for continuous vigilance.
Mar 21, 2026
Dell Patches Critical Authentication and Command Injection Flaws Across Storage Products
Dell disclosed multiple high-severity vulnerabilities affecting enterprise storage and backup platforms, including **PowerProtect Data Domain**, **Storage Manager**, and **Unity**. In PowerProtect Data Domain, **CVE-2026-26944** allows unauthenticated remote attackers to reach a privileged function and potentially execute commands as `root` if a legitimate user performs a specific action, while **CVE-2026-26943** and **CVE-2026-23778** enable root-level command execution for attackers with high privileges. Dell said the issues affect several DD OS release tracks, Data Domain Virtual Edition, APEX Protection Storage, Data Domain Management Center, and PowerProtect DP Series appliances, and released fixes through advisory **DSA-2026-060**, adding that it had no indication of active exploitation. Dell also issued critical updates for other storage lines. **Dell Storage Manager** vulnerabilities **CVE-2025-43994** and **CVE-2025-43995** expose management functions and APIs to unauthenticated remote access or authentication bypass, potentially affecting all storage arrays managed by a vulnerable instance; Dell’s advisory **DSA-2025-393** recommends upgrading to **2020 R1.22** or later. In **Dell Unity**, **CVE-2025-36604** permits unauthenticated remote OS command injection, while **CVE-2025-36606** and **CVE-2025-36607** allow authenticated attackers to escape restricted utilities and run commands as `root`; Dell remediated those flaws in **Unity OE 5.5.1** and later. The disclosures highlight elevated risk to backup integrity, storage administration, and ransomware recovery operations if exposed management interfaces remain unpatched.
Jun 12, 2026
Critical Authentication Bypass Vulnerabilities in Dell Storage Manager
Dell Storage Manager was found to contain multiple critical vulnerabilities, including CVE-2025-43995 (CVSS 9.8), which allows unauthenticated attackers to bypass authentication and access APIs exposed by the `ApiProxy.war` component in the DataCollectorEar.ear package. Exploitation is possible by using a special `SessionKey` and `UserId` associated with special users created for internal service purposes. Another related vulnerability, CVE-2025-43994 (CVSS 8.6), involves missing authentication for critical functions, potentially leading to information disclosure if exploited by a remote attacker. These flaws affect Dell Storage Center systems running Dell Storage Manager version 20.1.21. The vulnerabilities were disclosed by security researchers and confirmed by Dell, with advisories urging immediate patching to prevent unauthorized access and data exposure. No evidence of exploitation in the wild has been reported as of the publication date, but the critical nature of the flaws underscores the need for urgent remediation in affected environments.
Mar 21, 2026