Dell Technologies recently patched a critical security flaw impacting its UnityVSA virtual storage appliance, tracked as CVE-2025-9242. A very serious kernel flaw that allowed unauthenticated attackers to run arbitrary code on internet-facing services. Thanks to the responsible disclosure received on March 28, 2025, the issue has been patched on July 18, 2025.
This vulnerability, beyond any other, is particularly worrisome. It allows attackers to bypass security defenses such as the NX bit, leading to often severe exploitation. WatchTowr Labs called CVE-2025-9242 a vulnerability with “all the characteristics your friendly neighbourhood ransomware gangs love to see.” This description highlights the devastating harm that may be caused by the vulnerability.
Details of the Vulnerability
CVE-2025-9242 is the most severe bug as far as CVS severity ratings go, but no CVSS score was given. Attackers can take advantage of this vulnerability by using an mprotect system call to sidestep NX bit mitigations. This makes it easier for them to run specifically arbitrary code on perimeter appliances. It is one of the most egregious vulnerabilities to exist. It would enable attackers to infiltrate and seize control of impacted systems.
Dell has provided updates to fix this vulnerability on all impacted versions of UnityVSA. The following updates have been issued:
- Version 2025.1 – Fixed in 2025.1.1
- Version 12.x – Fixed in 12.11.4
- Version 12.3.1 (FIPS-certified release) – Fixed in 12.3.1_Update3 (B722811)
- Version 12.5.x (T15 & T35 models) – Fixed in 12.5.13
- Version 11.x – Reached end-of-life
These changes are indeed very necessary. They inform the public about the severity of the vulnerability and the need for users to be diligent in maintaining their systems.
Additional Vulnerabilities Discovered
Security researchers Piotr Bazydlo and McCaulay Hudson previously discovered vulnerabilities in Dell UnityVSA and compatible kernels. Specifically, they have pegged CVE-2025-9242 as one of these very serious binds. Bazydlo found a critical pre-authenticated command injection vulnerability CVE-2025-36604. In fact, it bears one of the most serious CVSS scores at a severe 9.8/7.3, indicating the critical nature of the vulnerability.
Hudson’s findings included another significant flaw: “The server does attempt certificate validation, but that validation happens after the vulnerable code runs, allowing our vulnerable code path to be reachable pre-authentication.” This quote demonstrates that the timing of validation—as we know it—introduces even more vulnerabilities.
In a related analysis, WatchGuard found a critical RCE vulnerability in the Fireware OS process. Such an out-of-bounds write vulnerability might allow remote, unauthenticated attackers to potentially gain arbitrary code execution.