Dell Patches Critical Authentication and Command Injection Flaws Across Storage Products
Dell disclosed multiple high-severity vulnerabilities affecting enterprise storage and backup platforms, including PowerProtect Data Domain, Storage Manager, and Unity. In PowerProtect Data Domain, CVE-2026-26944 allows unauthenticated remote attackers to reach a privileged function and potentially execute commands as root if a legitimate user performs a specific action, while CVE-2026-26943 and CVE-2026-23778 enable root-level command execution for attackers with high privileges. Dell said the issues affect several DD OS release tracks, Data Domain Virtual Edition, APEX Protection Storage, Data Domain Management Center, and PowerProtect DP Series appliances, and released fixes through advisory DSA-2026-060, adding that it had no indication of active exploitation.
Dell also issued critical updates for other storage lines. Dell Storage Manager vulnerabilities CVE-2025-43994 and CVE-2025-43995 expose management functions and APIs to unauthenticated remote access or authentication bypass, potentially affecting all storage arrays managed by a vulnerable instance; Dell’s advisory DSA-2025-393 recommends upgrading to 2020 R1.22 or later. In Dell Unity, CVE-2025-36604 permits unauthenticated remote OS command injection, while CVE-2025-36606 and CVE-2025-36607 allow authenticated attackers to escape restricted utilities and run commands as root; Dell remediated those flaws in Unity OE 5.5.1 and later. The disclosures highlight elevated risk to backup integrity, storage administration, and ransomware recovery operations if exposed management interfaces remain unpatched.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Dell publishes DSA-2026-060 for PowerProtect Data Domain vulnerabilities
Dell disclosed security advisory DSA-2026-060 covering CVE-2026-23778, CVE-2026-26943, CVE-2026-26944, and additional vulnerabilities affecting PowerProtect Data Domain products. The advisory provided DD OS and firmware updates across multiple release tracks and stated there was no indication of active exploitation for CVE-2026-26944.
Dell releases patches for ReVault-related ControlVault3 flaws
Dell issued security advisories and coordinated firmware and driver patches for multiple ControlVault3 and ControlVault3 Plus vulnerabilities, including CVE-2025-31361, CVE-2025-31649, CVE-2025-32089, and CVE-2025-36553. The flaws affected more than 100 Dell laptop models and enabled impacts ranging from privilege escalation to firmware-context code execution.
Dell issues DSA-2025-393 for Storage Manager vulnerabilities
Dell initially released security advisory DSA-2025-393 for Dell Storage Manager on 2025-10-24 and updated it the same day to clarify the remediated version. The advisory covered CVE-2025-43994, CVE-2025-43995, and CVE-2025-46425 and recommended upgrading to version 2020 R1.22 or later.
Dell releases fixes for PowerProtect Data Domain auth bypass CVE-2025-43727
Dell addressed CVE-2025-43727, an authentication bypass in the RestAPI component of PowerProtect Data Domain DD OS, and recommended upgrades to remediated versions across affected release tracks. The flaw allowed unauthenticated remote attackers to send crafted API requests that bypass authentication checks.
Dell discloses Unity command injection flaws and releases Unity OE 5.5.1
Dell disclosed CVE-2025-36604, CVE-2025-36606, and CVE-2025-36607 affecting Dell Unity, UnityVSA, and Unity XT systems running Unity OE 5.5 and earlier. The company said the issues were fixed in Unity OE 5.5.1 and advised customers to upgrade.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
Brief Summary: CVE-2026-26944 Missing Authentication in Dell PowerProtect Data Domain Enables Remote Root Command Execution - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceBrief Summary: Dell PowerProtect Data Domain CVE-2026-26943 OS Command Injection Leading to Root Execution - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceBrief Summary: Dell PowerProtect Data Domain CVE-2026-23778 Command Injection Enabling Root Access - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceDSA-2025-281: Security Update for Dell Unity, Dell UnityVSA and Dell Unity XT Security Update for Multiple Vulnerabilities | Dell Slovenia
dell.com
Open sourceDell PowerProtect Data Domain CVE-2025-43727: Brief Summary of High-Severity Authentication Bypass - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceDell Unity CVE-2025-36607 OS Command Injection Vulnerability: Brief Summary and Patch Guidance - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceDell Unity CVE-2025-36606 OS Command Injection Vulnerability: Brief Summary and Patch Guidance - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceDell Unity CVE-2025-36604 OS Command Injection: Brief Summary and Patch Guidance - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dell PowerProtect Data Domain Flaws Expose Systems to Unauthorized Access and Root RCE
Dell disclosed two high-severity vulnerabilities in **PowerProtect Data Domain** appliances running multiple **DD OS** releases, including a weak-credentials flaw tracked as `CVE-2026-23853` and a missing-authentication issue tracked as `CVE-2026-26944`. The weak-credentials vulnerability affects Feature Release versions **7.7.1.0 through 8.5**, **LTS2025 8.3.1.0 through 8.3.1.20**, and **LTS2024 7.13.1.0 through 7.13.1.50**, and could allow an unauthenticated attacker with local access to gain unauthorized access to the system. The issue is classified as **CWE-1391** and carries a **CVSS v3.1** score vector of `AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. Dell also reported `CVE-2026-26944`, a **missing authentication for critical function** flaw classified as **CWE-306**, which could allow an unauthenticated remote attacker to execute arbitrary commands with **root privileges** if an authenticated user performs a specific action. That vulnerability is rated with the **CVSS v3.1** vector `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`. Both issues were referenced in Dell security guidance, including advisory **`DSA-2026-060`**, and affect backup infrastructure that may be critical to recovery operations, making remediation and version review a priority for defenders.
Apr 20, 2026
Pre-Authentication Command Injection Vulnerability in Dell UnityVSA
Dell UnityVSA, the software-defined storage solution from Dell, has been found to contain a critical pre-authentication command injection vulnerability, tracked as CVE-2025-36604. This flaw allows attackers to execute arbitrary commands on affected systems without requiring authentication, significantly increasing the risk of unauthorized access and system compromise. The vulnerability arises from improper handling of login redirect URIs, where user-supplied input is directly concatenated into a command string executed by the system, specifically through Perl’s backtick operator in the getCASURL function. If an attacker crafts a request without the expected authentication cookie, the system’s login flow can be manipulated to inject shell metacharacters, enabling remote code execution. This could allow threat actors to alter system configurations, access or destroy sensitive data, deploy additional malicious scripts, or take full control of the UnityVSA appliance. The issue affects all UnityVSA versions prior to 5.5.1, with Dell’s advisory (DSA-2025-281) confirming that versions 5.5 and earlier are vulnerable. Dell has rated the vulnerability as 'High' severity (CVSS 7.3), but the National Vulnerability Database (NVD) suggests it could reach a 'Critical' rating (CVSS 9.8) under certain conditions. In addition to CVE-2025-36604, related vulnerabilities such as a cross-site scripting flaw (CVE-2025-36605) and other command injection risks in internal utilities have been identified, affecting both Unity and UnityVSA platforms. Security researchers at WatchTowr, who discovered the flaw, have released a Python-based 'Detection Artefact Generator' to help organizations identify vulnerable instances. Both Dell and WatchTowr strongly urge immediate upgrades to UnityVSA version 5.5.1 or later to mitigate the risk. Organizations are also advised to monitor for suspicious redirect URIs, shell executions, and unusual web access behaviors, even after patching. The vulnerability is particularly concerning due to the critical nature of storage systems, which often host sensitive and mission-critical data. Exploitation of this flaw could lead to significant operational disruption and data loss. The disclosure underscores the importance of timely patching and robust monitoring of storage infrastructure. Dell’s response includes detailed mitigation guidance and emphasizes the urgency of remediation. The security community has highlighted the exploit’s simplicity and the potential for widespread impact if left unaddressed. Organizations using UnityVSA should prioritize this update as part of their vulnerability management processes to prevent exploitation and safeguard their data assets.
Mar 21, 2026
Dell UnityVSA Unauthenticated Remote Command Injection Vulnerability (CVE-2025-36604)
A critical unauthenticated remote command injection vulnerability, tracked as CVE-2025-36604, was discovered in Dell UnityVSA, a software-defined storage solution that runs as a virtual machine on hypervisors such as VMware ESXi. Security researchers at watchTowr Labs identified and disclosed this vulnerability to Dell in March 2025, noting that it affected version 5.5.0.0.5.259 and likely earlier versions. The flaw allows attackers to execute arbitrary commands on the underlying operating system without authentication, posing a significant risk to organizations using UnityVSA for storage management. The vulnerability is particularly severe because UnityVSA often manages sensitive or business-critical data, making it a high-value target for threat actors seeking data exfiltration or ransomware deployment. Dell responded by releasing security advisories and patches addressing not only CVE-2025-36604 but also a total of 14 pre-auth command injection vulnerabilities in the UnityVSA product line. The exposure of such vulnerabilities in storage appliances highlights the ongoing risks associated with software-defined infrastructure and the need for timely patch management. The ProjectDiscovery community contributed a Nuclei detection template for CVE-2025-36604, enabling security teams to scan their environments for vulnerable UnityVSA instances. During the template's development, maintainers noted the importance of refining detection matchers to reduce false positives, as initial scans produced results on honeypot targets. The template was iteratively improved to ensure reliable identification of affected systems. The vulnerability's pre-authentication nature means that attackers do not require valid credentials, increasing the urgency for organizations to apply patches and restrict network access to management interfaces. Security advisories and technical write-ups provided detailed guidance on identifying vulnerable versions and implementing mitigations. The incident underscores the importance of proactive vulnerability research and coordinated disclosure between security researchers and vendors. Organizations leveraging Dell UnityVSA are strongly advised to review their deployments, apply the latest security updates, and monitor for signs of exploitation. The rapid community response, including the creation and validation of detection templates, demonstrates the value of open-source security tooling in addressing emerging threats. The case also serves as a reminder for storage and infrastructure teams to prioritize the security of virtual appliances, which are increasingly targeted by sophisticated attackers. Dell's multi-vulnerability disclosure and the subsequent industry response highlight the evolving landscape of storage security and the need for continuous vigilance.
Mar 21, 2026