Dell has issued a security update addressing multiple critical vulnerabilities in Unity OS versions 5.4 and earlier. These flaws impact Dell Unity, UnityVSA, and Unity XT storage systems, exposing them to severe security threats, including unauthenticated remote command execution, arbitrary file deletion, open redirects, and privilege escalation.
The most alarming of these is CVE-2025-22398, a command injection vulnerability with a CVSS score of 9.8, which allows unauthenticated attackers to execute arbitrary commands as root, potentially leading to full system control. Dell warns that exploitation requires no authentication, making it an urgent security risk.
Key Vulnerabilities include:
- CVE-2025-22398 (CVSS 9.8) – Remote Command Injection
Allows remote attackers to execute commands with root privileges, leading to complete system takeover. - CVE-2025-24383 (CVSS 9.1) – Arbitrary File Deletion
Enables attackers to delete critical system files without authentication. - CVE-2025-24381 (CVSS 8.8) – Open Redirect
Can be exploited for phishing attacks and session hijacking by redirecting users to malicious sites. - CVE-2024-49563 & Others (CVSS 7.8) – Local Privilege Escalation
Allows low-privileged users to escalate to root-level access via OS command injection vulnerabilities.
Affected Systems
The vulnerabilities affect Dell Unity, UnityVSA, and Unity XT running versions 5.4 and earlier. Dell has released a security fix in Unity Operating Environment (OE) Version 5.5.0.0.5.259 and later.
Recommended Action To mitigate the risk of exploitation, Dell strongly advises all Unity customers to upgrade to the patched firmware version as soon as possible. Given the severity of these vulnerabilities especially those allowing unauthenticated root-level access. Delaying this update could leave systems exposed to serious security threats.