Critical Authentication Bypass Vulnerabilities in Dell Storage Manager
Dell Storage Manager was found to contain multiple critical vulnerabilities, including CVE-2025-43995 (CVSS 9.8), which allows unauthenticated attackers to bypass authentication and access APIs exposed by the ApiProxy.war component in the DataCollectorEar.ear package. Exploitation is possible by using a special SessionKey and UserId associated with special users created for internal service purposes. Another related vulnerability, CVE-2025-43994 (CVSS 8.6), involves missing authentication for critical functions, potentially leading to information disclosure if exploited by a remote attacker.
These flaws affect Dell Storage Center systems running Dell Storage Manager version 20.1.21. The vulnerabilities were disclosed by security researchers and confirmed by Dell, with advisories urging immediate patching to prevent unauthorized access and data exposure. No evidence of exploitation in the wild has been reported as of the publication date, but the critical nature of the flaws underscores the need for urgent remediation in affected environments.
Timeline
Oct 27, 2025
Canadian Centre for Cyber Security publishes Dell advisory AV25-697
The Canadian Centre for Cyber Security published advisory AV25-697 covering the Dell security issue, reflecting official government notice and guidance related to the disclosed Dell vulnerabilities.
Oct 24, 2025
CVE-2025-43995 disclosed in Dell Storage Manager
A critical vulnerability, CVE-2025-43995, affecting Dell Storage Manager was publicly listed as an authentication bypass issue that could allow unauthenticated API access.
Oct 24, 2025
CVE-2025-43994 disclosed in Dell Storage Manager
A high-severity vulnerability, CVE-2025-43994, affecting Dell Storage Manager was publicly listed as a missing authentication for a critical function issue in Dell Storage Center environments.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Dell PowerProtect Data Domain Flaws Expose Systems to Unauthorized Access and Root RCE
Dell disclosed two high-severity vulnerabilities in **PowerProtect Data Domain** appliances running multiple **DD OS** releases, including a weak-credentials flaw tracked as `CVE-2026-23853` and a missing-authentication issue tracked as `CVE-2026-26944`. The weak-credentials vulnerability affects Feature Release versions **7.7.1.0 through 8.5**, **LTS2025 8.3.1.0 through 8.3.1.20**, and **LTS2024 7.13.1.0 through 7.13.1.50**, and could allow an unauthenticated attacker with local access to gain unauthorized access to the system. The issue is classified as **CWE-1391** and carries a **CVSS v3.1** score vector of `AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. Dell also reported `CVE-2026-26944`, a **missing authentication for critical function** flaw classified as **CWE-306**, which could allow an unauthenticated remote attacker to execute arbitrary commands with **root privileges** if an authenticated user performs a specific action. That vulnerability is rated with the **CVSS v3.1** vector `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`. Both issues were referenced in Dell security guidance, including advisory **`DSA-2026-060`**, and affect backup infrastructure that may be critical to recovery operations, making remediation and version review a priority for defenders.
1 weeks ago
Pre-Authentication Command Injection Vulnerability in Dell UnityVSA
Dell UnityVSA, the software-defined storage solution from Dell, has been found to contain a critical pre-authentication command injection vulnerability, tracked as CVE-2025-36604. This flaw allows attackers to execute arbitrary commands on affected systems without requiring authentication, significantly increasing the risk of unauthorized access and system compromise. The vulnerability arises from improper handling of login redirect URIs, where user-supplied input is directly concatenated into a command string executed by the system, specifically through Perl’s backtick operator in the getCASURL function. If an attacker crafts a request without the expected authentication cookie, the system’s login flow can be manipulated to inject shell metacharacters, enabling remote code execution. This could allow threat actors to alter system configurations, access or destroy sensitive data, deploy additional malicious scripts, or take full control of the UnityVSA appliance. The issue affects all UnityVSA versions prior to 5.5.1, with Dell’s advisory (DSA-2025-281) confirming that versions 5.5 and earlier are vulnerable. Dell has rated the vulnerability as 'High' severity (CVSS 7.3), but the National Vulnerability Database (NVD) suggests it could reach a 'Critical' rating (CVSS 9.8) under certain conditions. In addition to CVE-2025-36604, related vulnerabilities such as a cross-site scripting flaw (CVE-2025-36605) and other command injection risks in internal utilities have been identified, affecting both Unity and UnityVSA platforms. Security researchers at WatchTowr, who discovered the flaw, have released a Python-based 'Detection Artefact Generator' to help organizations identify vulnerable instances. Both Dell and WatchTowr strongly urge immediate upgrades to UnityVSA version 5.5.1 or later to mitigate the risk. Organizations are also advised to monitor for suspicious redirect URIs, shell executions, and unusual web access behaviors, even after patching. The vulnerability is particularly concerning due to the critical nature of storage systems, which often host sensitive and mission-critical data. Exploitation of this flaw could lead to significant operational disruption and data loss. The disclosure underscores the importance of timely patching and robust monitoring of storage infrastructure. Dell’s response includes detailed mitigation guidance and emphasizes the urgency of remediation. The security community has highlighted the exploit’s simplicity and the potential for widespread impact if left unaddressed. Organizations using UnityVSA should prioritize this update as part of their vulnerability management processes to prevent exploitation and safeguard their data assets.
1 months ago
Dell UnityVSA Unauthenticated Remote Command Injection Vulnerability (CVE-2025-36604)
A critical unauthenticated remote command injection vulnerability, tracked as CVE-2025-36604, was discovered in Dell UnityVSA, a software-defined storage solution that runs as a virtual machine on hypervisors such as VMware ESXi. Security researchers at watchTowr Labs identified and disclosed this vulnerability to Dell in March 2025, noting that it affected version 5.5.0.0.5.259 and likely earlier versions. The flaw allows attackers to execute arbitrary commands on the underlying operating system without authentication, posing a significant risk to organizations using UnityVSA for storage management. The vulnerability is particularly severe because UnityVSA often manages sensitive or business-critical data, making it a high-value target for threat actors seeking data exfiltration or ransomware deployment. Dell responded by releasing security advisories and patches addressing not only CVE-2025-36604 but also a total of 14 pre-auth command injection vulnerabilities in the UnityVSA product line. The exposure of such vulnerabilities in storage appliances highlights the ongoing risks associated with software-defined infrastructure and the need for timely patch management. The ProjectDiscovery community contributed a Nuclei detection template for CVE-2025-36604, enabling security teams to scan their environments for vulnerable UnityVSA instances. During the template's development, maintainers noted the importance of refining detection matchers to reduce false positives, as initial scans produced results on honeypot targets. The template was iteratively improved to ensure reliable identification of affected systems. The vulnerability's pre-authentication nature means that attackers do not require valid credentials, increasing the urgency for organizations to apply patches and restrict network access to management interfaces. Security advisories and technical write-ups provided detailed guidance on identifying vulnerable versions and implementing mitigations. The incident underscores the importance of proactive vulnerability research and coordinated disclosure between security researchers and vendors. Organizations leveraging Dell UnityVSA are strongly advised to review their deployments, apply the latest security updates, and monitor for signs of exploitation. The rapid community response, including the creation and validation of detection templates, demonstrates the value of open-source security tooling in addressing emerging threats. The case also serves as a reminder for storage and infrastructure teams to prioritize the security of virtual appliances, which are increasingly targeted by sophisticated attackers. Dell's multi-vulnerability disclosure and the subsequent industry response highlight the evolving landscape of storage security and the need for continuous vigilance.
1 months ago