Description
Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Published: 2026-01-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution and Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS command injection (CWE-78) that permits a low-privileged local attacker to execute arbitrary commands with root privileges on Dell Unity 5.5.2 and earlier. This flaw enables full control over the affected system, potentially compromising the confidentiality, integrity, and availability of all data stored on the device.

Affected Systems

Dell Unity Operating Environment version 5.5.2 and all versions prior to 5.5.2 are affected. The vulnerability applies to the Unity core software that runs within the Unity Storage Appliance.

Risk and Exploitability

The CVSS score of 7.8 indicates a high impact vulnerability, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. Exploit requires local access from a low-privileged user, and the vulnerability is not listed in the CISA KEV catalog. If an attacker gains local access, the problem can be leveraged for full root-level command execution, making it a critical local privilege escalation risk.

Generated by OpenCVE AI on April 18, 2026 at 01:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell security update DSA-2026-054 that addresses the OS command injection in Unity 5.5.2 and earlier.
  • Revoke or restrict local administrative privileges for users not required to perform Unity maintenance, effectively limiting the attacker's ability to trigger the injection.
  • Continuously monitor system logs for anomalous command execution patterns and verify that the Unity software has been updated across all managed devices.

Generated by OpenCVE AI on April 18, 2026 at 01:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Dell Unity Operating Environment

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Dell unity Operating Environment
CPEs cpe:2.3:a:dell:unity_operating_environment:*:*:*:*:*:*:*:*
Vendors & Products Dell unity Operating Environment

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell unity
Vendors & Products Dell
Dell unity

Fri, 30 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Unity Unity Operating Environment
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-02-26T15:04:42.636Z

Reserved: 2025-12-24T16:33:47.094Z

Link: CVE-2026-21418

cve-icon Vulnrichment

Updated: 2026-01-30T13:00:04.347Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T09:15:50.920

Modified: 2026-03-10T18:21:28.180

Link: CVE-2026-21418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses