It was discovered that the Unitrends api/storage web interface has an issue in which one of its input parameters was not validated. A remote attacker could use this issue to bypass authentication and execute arbitrary commands with root privilege on the target system.
Resolution: Upgrade to Unitrends release 10.0.0-2 or later
Unitrends reference UNIBP-13942
LINK TO ADVISORIES
Discoverer(s)/Credits: Benny Husted, Cale Smith, Jared Arave