CVE-2025-36606 is an OS command injection vulnerability classified under CWE-78 affecting Dell Unity storage systems version 5.5 and earlier. The vulnerability resides in the svc_nfssupport utility, a component likely responsible for managing NFS support services on the device. Due to improper neutralization of special elements in OS commands, an authenticated attacker with limited privileges can inject malicious commands. This injection allows the attacker to escape the restricted shell environment, which is designed to limit command execution scope, and gain root-level command execution on the underlying operating system. The vulnerability's CVSS v3.1 score is 7.8, reflecting high severity with a vector indicating local attack vector (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The flaw enables full system compromise, including data theft, destruction, or further lateral movement within the network. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly.

The impact of CVE-2025-36606 is significant for organizations using Dell Unity storage systems, as successful exploitation grants root-level access to the underlying OS. This can lead to complete compromise of the storage device, allowing attackers to manipulate, steal, or destroy sensitive data stored on the arrays. The integrity of stored data can be undermined, availability disrupted through destructive commands or denial-of-service conditions, and confidentiality breached by unauthorized data access. Since Dell Unity systems are often deployed in enterprise environments for critical storage infrastructure, this vulnerability could facilitate broader network compromise, data exfiltration, or ransomware deployment. The requirement for authentication limits exposure but does not eliminate risk, especially in environments with weak credential management or insider threats.

To mitigate CVE-2025-36606, organizations should immediately verify if their Dell Unity systems are running version 5.5 or earlier and prioritize upgrading to a patched version once available from Dell. Until patches are released, restrict access to the svc_nfssupport utility and related management interfaces to trusted administrators only. Implement strict authentication controls, including strong password policies and multi-factor authentication, to reduce the risk of credential compromise. Monitor system logs for unusual command executions or shell escapes indicative of exploitation attempts. Network segmentation should be employed to limit access to storage management interfaces. Additionally, consider deploying host-based intrusion detection systems (HIDS) on management hosts to detect anomalous root-level command executions. Engage with Dell support for any available workarounds or interim fixes and maintain up-to-date backups of critical data to enable recovery in case of compromise.