Description
Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Published: 2026-01-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local privilege escalation via OS command injection
Action: Patch
AI Analysis

Impact

Dell UnityVSA, version 5.4 and earlier, contains a command‑injection flaw (CWE‑78) caused by improper neutralization of special elements used in an OS command string. A local, low‑privileged attacker who can provide input to the appliance can cause arbitrary command execution with root privileges, potentially taking full control of the appliance.

Affected Systems

Dell UnityVSA operating environment versions 5.4 and prior are affected.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is below 1 %, suggesting a very low likelihood of exploitation. The flaw is not listed in CISA KEV. Local access is required, so only users or attackers with physical or network access to the appliance may exploit this vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell UnityVSA security update that removes the vulnerable command‑injection path and sanitizes all command inputs.
  • Restrict local or console access to the UnityVSA appliance by using network segmentation or firewall rules to limit management interfaces to trusted hosts.
  • Enforce least‑privilege principles on the accounts running UnityVSA services to limit the impact of any command‑execution attempts.

Generated by OpenCVE AI on April 18, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Root Privilege Command Injection in Dell UnityVSA 5.4 and Earlier

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Dell unity Operating Environment
CPEs cpe:2.3:a:dell:unity_operating_environment:*:*:*:*:*:*:*:*
Vendors & Products Dell unity Operating Environment

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell unity
Dell unityvsa Operating Environment
Vendors & Products Dell
Dell unity
Dell unityvsa Operating Environment

Fri, 30 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Unity Unity Operating Environment Unityvsa Operating Environment
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-02-26T15:04:43.315Z

Reserved: 2026-01-07T07:17:24.536Z

Link: CVE-2026-22277

cve-icon Vulnrichment

Updated: 2026-01-30T13:09:50.449Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T09:15:51.090

Modified: 2026-03-10T18:21:46.083

Link: CVE-2026-22277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses