Critical Authentication Bypass Vulnerabilities in Dell Storage Manager
Dell Storage Manager was found to contain multiple critical vulnerabilities, including CVE-2025-43995 (CVSS 9.8), which allows unauthenticated attackers to bypass authentication and access APIs exposed by the ApiProxy.war component in the DataCollectorEar.ear package. Exploitation is possible by using a special SessionKey and UserId associated with special users created for internal service purposes. Another related vulnerability, CVE-2025-43994 (CVSS 8.6), involves missing authentication for critical functions, potentially leading to information disclosure if exploited by a remote attacker.
These flaws affect Dell Storage Center systems running Dell Storage Manager version 20.1.21. The vulnerabilities were disclosed by security researchers and confirmed by Dell, with advisories urging immediate patching to prevent unauthorized access and data exposure. No evidence of exploitation in the wild has been reported as of the publication date, but the critical nature of the flaws underscores the need for urgent remediation in affected environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security publishes Dell advisory AV25-697
The Canadian Centre for Cyber Security published advisory AV25-697 covering the Dell security issue, reflecting official government notice and guidance related to the disclosed Dell vulnerabilities.
CVE-2025-43995 disclosed in Dell Storage Manager
A critical vulnerability, CVE-2025-43995, affecting Dell Storage Manager was publicly listed as an authentication bypass issue that could allow unauthenticated API access.
CVE-2025-43994 disclosed in Dell Storage Manager
A high-severity vulnerability, CVE-2025-43994, affecting Dell Storage Manager was publicly listed as a missing authentication for a critical function issue in Dell Storage Center environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Dell security advisory (AV25-697)
cyber.gc.ca
Open sourceCritical Dell Storage Manager Flaw (CVE-2025-43995, CVSS 9.8) Allows Unauthenticated API Bypass
securityonline.info
Open sourceCVE-2025-43995 - Dell Storage Center - Dell Storage Manager Authentication Bypass
cvefeed.io
Open sourceCVE-2025-43994 - Dell Storage Center - Dell Storage Manager Missing Authentication for Critical Function
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dell Patches Critical Authentication and Command Injection Flaws Across Storage Products
Dell disclosed multiple high-severity vulnerabilities affecting enterprise storage and backup platforms, including **PowerProtect Data Domain**, **Storage Manager**, and **Unity**. In PowerProtect Data Domain, **CVE-2026-26944** allows unauthenticated remote attackers to reach a privileged function and potentially execute commands as `root` if a legitimate user performs a specific action, while **CVE-2026-26943** and **CVE-2026-23778** enable root-level command execution for attackers with high privileges. Dell said the issues affect several DD OS release tracks, Data Domain Virtual Edition, APEX Protection Storage, Data Domain Management Center, and PowerProtect DP Series appliances, and released fixes through advisory **DSA-2026-060**, adding that it had no indication of active exploitation. Dell also issued critical updates for other storage lines. **Dell Storage Manager** vulnerabilities **CVE-2025-43994** and **CVE-2025-43995** expose management functions and APIs to unauthenticated remote access or authentication bypass, potentially affecting all storage arrays managed by a vulnerable instance; Dell’s advisory **DSA-2025-393** recommends upgrading to **2020 R1.22** or later. In **Dell Unity**, **CVE-2025-36604** permits unauthenticated remote OS command injection, while **CVE-2025-36606** and **CVE-2025-36607** allow authenticated attackers to escape restricted utilities and run commands as `root`; Dell remediated those flaws in **Unity OE 5.5.1** and later. The disclosures highlight elevated risk to backup integrity, storage administration, and ransomware recovery operations if exposed management interfaces remain unpatched.
Jun 12, 2026
Dell PowerProtect Data Domain Flaws Expose Systems to Unauthorized Access and Root RCE
Dell disclosed two high-severity vulnerabilities in **PowerProtect Data Domain** appliances running multiple **DD OS** releases, including a weak-credentials flaw tracked as `CVE-2026-23853` and a missing-authentication issue tracked as `CVE-2026-26944`. The weak-credentials vulnerability affects Feature Release versions **7.7.1.0 through 8.5**, **LTS2025 8.3.1.0 through 8.3.1.20**, and **LTS2024 7.13.1.0 through 7.13.1.50**, and could allow an unauthenticated attacker with local access to gain unauthorized access to the system. The issue is classified as **CWE-1391** and carries a **CVSS v3.1** score vector of `AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. Dell also reported `CVE-2026-26944`, a **missing authentication for critical function** flaw classified as **CWE-306**, which could allow an unauthenticated remote attacker to execute arbitrary commands with **root privileges** if an authenticated user performs a specific action. That vulnerability is rated with the **CVSS v3.1** vector `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`. Both issues were referenced in Dell security guidance, including advisory **`DSA-2026-060`**, and affect backup infrastructure that may be critical to recovery operations, making remediation and version review a priority for defenders.
Apr 20, 2026
Pre-Authentication Command Injection Vulnerability in Dell UnityVSA
Dell UnityVSA, the software-defined storage solution from Dell, has been found to contain a critical pre-authentication command injection vulnerability, tracked as CVE-2025-36604. This flaw allows attackers to execute arbitrary commands on affected systems without requiring authentication, significantly increasing the risk of unauthorized access and system compromise. The vulnerability arises from improper handling of login redirect URIs, where user-supplied input is directly concatenated into a command string executed by the system, specifically through Perl’s backtick operator in the getCASURL function. If an attacker crafts a request without the expected authentication cookie, the system’s login flow can be manipulated to inject shell metacharacters, enabling remote code execution. This could allow threat actors to alter system configurations, access or destroy sensitive data, deploy additional malicious scripts, or take full control of the UnityVSA appliance. The issue affects all UnityVSA versions prior to 5.5.1, with Dell’s advisory (DSA-2025-281) confirming that versions 5.5 and earlier are vulnerable. Dell has rated the vulnerability as 'High' severity (CVSS 7.3), but the National Vulnerability Database (NVD) suggests it could reach a 'Critical' rating (CVSS 9.8) under certain conditions. In addition to CVE-2025-36604, related vulnerabilities such as a cross-site scripting flaw (CVE-2025-36605) and other command injection risks in internal utilities have been identified, affecting both Unity and UnityVSA platforms. Security researchers at WatchTowr, who discovered the flaw, have released a Python-based 'Detection Artefact Generator' to help organizations identify vulnerable instances. Both Dell and WatchTowr strongly urge immediate upgrades to UnityVSA version 5.5.1 or later to mitigate the risk. Organizations are also advised to monitor for suspicious redirect URIs, shell executions, and unusual web access behaviors, even after patching. The vulnerability is particularly concerning due to the critical nature of storage systems, which often host sensitive and mission-critical data. Exploitation of this flaw could lead to significant operational disruption and data loss. The disclosure underscores the importance of timely patching and robust monitoring of storage infrastructure. Dell’s response includes detailed mitigation guidance and emphasizes the urgency of remediation. The security community has highlighted the exploit’s simplicity and the potential for widespread impact if left unaddressed. Organizations using UnityVSA should prioritize this update as part of their vulnerability management processes to prevent exploitation and safeguard their data assets.
Mar 21, 2026