CVE-2025-36604 is an OS command injection vulnerability classified under CWE-78, found in Dell Unity storage systems version 5.5 and earlier. The flaw arises from improper neutralization of special characters in inputs that are passed to operating system commands, enabling an attacker to inject and execute arbitrary commands remotely without authentication. This vulnerability is particularly dangerous because it does not require any user interaction or prior credentials, making it accessible to unauthenticated remote attackers with network access to the vulnerable system. Successful exploitation could allow attackers to execute arbitrary code with the privileges of the affected service, potentially leading to data leakage, unauthorized system control, or disruption of storage services. The vulnerability was reserved in April 2025 and publicly disclosed in August 2025, with a CVSS v3.1 base score of 7.3, indicating high severity. No public exploits have been reported yet, but the nature of the vulnerability and the widespread use of Dell Unity in enterprise storage environments make it a critical concern. The lack of available patches at the time of disclosure necessitates immediate attention to alternative mitigations.

The impact of CVE-2025-36604 is significant for organizations relying on Dell Unity storage systems. Exploitation can lead to unauthorized command execution, potentially compromising the confidentiality, integrity, and availability of stored data. Attackers could manipulate or exfiltrate sensitive information, disrupt storage operations, or use the compromised system as a foothold for further network intrusion. Given that Dell Unity is widely deployed in enterprise and data center environments, the vulnerability could affect critical infrastructure, financial institutions, healthcare providers, and government agencies. The unauthenticated nature of the exploit increases the risk of automated attacks and rapid spread. Downtime or data loss resulting from exploitation could cause operational disruption and financial losses. The vulnerability also raises compliance and regulatory concerns for organizations handling sensitive or regulated data.

Organizations should immediately assess their Dell Unity deployments for affected versions (5.5 and prior). Since no patches are currently available, implement network-level controls such as restricting access to management interfaces to trusted IP addresses and isolating vulnerable systems from untrusted networks. Employ intrusion detection and prevention systems (IDS/IPS) to monitor and block suspicious command injection patterns targeting Dell Unity devices. Regularly audit logs for unusual command execution or access attempts. Engage with Dell support to obtain timelines for patches or workarounds and apply them promptly once released. Consider deploying application-layer firewalls or web application firewalls (WAFs) with custom rules to detect and block injection attempts. Additionally, enforce the principle of least privilege on affected systems to limit the potential impact of exploitation. Prepare incident response plans specific to storage system compromises to enable rapid containment and recovery.