Dell patches multiple Unity flaws, at least one critical
Take action: If you're using Dell Unity storage systems, first make sure it's not exposed to the internet and it's only accessible from trusted networks. Then plan an update to Operating Environment version 5.5.1 or later. Because even with isolation, someone's laptop or router will be compromised and your Unity will be accessible.
Learn More
Dell has patched multiple security vulnerabilities in its Unity storage platform, including a critical unauthenticated command injection flaw that affects Dell Unity, UnityVSA, and Unity XT systems.
Dell Unity is storage platform by Dell. Storage systems are very attractive targets for attackers because they provide direct access to sensitive data that can be stolen or used for ransomware demands.
Vulnerabilities summary:
- CVE-2025-36604 (CVSS score 7.3 to 9.8) - Pre-authentication OS command injection through improper neutralization of special elements in command construction. The flaw was discovered by security researcher Sina Kheirkhah from watchTowr. It's caused by improper input sanitization in the login redirect mechanism, where user-controlled URI values are concatenated directly into shell commands without validation or escaping.
- CVE-2025-36606 (CVSS score 7.8) - OS command injection in svc_nfssupport utility enabling authenticated attackers to escape restricted shell
- CVE-2025-36607 (CVSS score 7.8) - OS command injection in svc_nas utility allowing authenticated attackers to execute commands with root privileges
- CVE-2025-36605 (CVSS score 6.1) - Cross-site scripting vulnerability allowing execution of malicious HTML or JavaScript code
Affected versions of Dell Unity products include Dell Unity Operating Environment (OE) versions 5.5 and all older. The vulnerability affects all configurations of Dell Unity, UnityVSA Professional Edition, Unity Cloud Edition, and Unity XT systems running the vulnerable Operating Environment versions.
The flaws were patched in Dell Unity Operating Environment (OE) version 5.5.1 and later releases. Organizations can download the latest Operating Environment version from the Dell Unity Drivers & Downloads page and should verify their current OE version through the management interface before beginning the upgrade process.
Dell has rated CVE-2025-36604 with a CVSS base score of 7.3. Assessments from the National Vulnerability Database is scored as critical with CVSS 9.8 under certain deployment scenarios, especially when storage systems are exposed to untrusted networks or the internet.
Organizations should immediately verify their current Dell Unity Operating Environment version and prioritize upgrading to version 5.5.1 or later. WatchTowr has released a Detection Artefact Generator, a Python-based scanning tool that can identify vulnerable UnityVSA instances across the network. Security teams should run this scanner to confirm which systems require patching and validate remediation efforts after applying updates.
Organizations should also restrict network access to Dell Unity management interfaces, ensuring these systems are not directly accessible from the internet or untrusted network segments.
