Cybersecurity researchers at WatchTowr have published their analysis revealing a vulnerability in Dell UnityVSA, tracked as CVE-2025-36604. The flaw allows an attacker with no authentication to issue commands on the appliance, all by exploiting a flaw in the login redirection logic.
In simple terms, UnityVSA is Dell’s software version of its Unity storage system. Instead of running on dedicated hardware, it runs inside a virtual machine on hypervisors like VMware ESXi. Because storage systems are a prime target (they host critical data), any vulnerability here is especially sensitive.
How the Attack Works
The exploit originates from the way UnityVSA handles login redirect URIs. Under certain conditions, a user-controlled URI is inserted directly into a command execution string, without proper sanitisation.
When a request arrives without the expected authentication cookie, the system invokes a redirect to the login flow. That redirect logic funnels a raw URI into a function (getCASURL) where, if the “type” parameter equals “login,” the URI is concatenated into a command executed via Perl’s backtick operator.
In short, an attacker can embed shell metacharacters in that URI and cause arbitrary commands to run on the appliance. From there, they could alter configurations, access or destroy data, plant further scripts, or take full control.
Scope, Risks, and Patch Status
WatchTowr’s analysis indicates that multiple versions before 5.5.1 are vulnerable. Dell’s own advisory (DSA-2025-281) confirms that versions 5.5 and earlier are affected, and recommends upgrading to 5.5.1 or later.
Dell rates the issue as “High” severity (CVSS 7.3) for their internal advisory. Meanwhile, the NVD listing cites a vector that could drive it to “Critical” level (9.8) under an alternative assessment.
Dell’s advisory also mentions related issues such as XSS (CVE-2025-36605) and additional command injection risks in internal utilities, affecting unified platforms like Unity, UnityVSA, and Unity XT.
WatchTowr also released a short demonstration video alongside its “Detection Artefact Generator,” showing how the tool scans for and flags vulnerable UnityVSA instances. The generator helps security teams confirm whether their environments are exposed before or after applying the patch, making it easier to validate remediation efforts and maintain confidence that no unpatched systems remain online.
What Organisations Should Do Immediately
- Check versions and note which ones run below 5.5.1.
- Upgrade to version 5.5.1 as soon as possible. Dell has confirmed this version addresses CVE-2025-36604 along with other vulnerabilities.
- WatchTowr has released a Detection Artefact Generator (Python script) that can test whether an instance is vulnerable.
- Even after patching, check logs for unexpected redirect URIs, unusual shell executions, or other suspicious behaviour near web access points.
