A significant security vulnerability has been identified in Dell Technologies’ PowerProtect Data Domain systems, potentially allowing authenticated users to execute arbitrary commands with root privileges. This flaw poses a substantial risk to critical data protection infrastructures, as it could lead to unauthorized control over affected systems.
Vulnerability Overview
The vulnerability, designated as CVE-2025-29987, affects Dell PowerProtect Data Domain systems operating on Data Domain Operating System (DD OS) versions prior to 8.3.0.15. It has been assigned a CVSS Base Score of 8.8, indicating a high severity level. The vulnerability arises from insufficient granularity in access control mechanisms, enabling authenticated users from trusted remote clients to escalate their privileges and execute arbitrary commands with root access.
Affected Products and Versions
The security flaw impacts a range of Dell’s data protection products, including:
– Dell PowerProtect Data Domain series appliances
– Dell PowerProtect Data Domain Virtual Edition
– Dell APEX Protection Storage
– PowerProtect DP Series Appliance (IDPA) versions 2.7.6, 2.7.7, and 2.7.8
– Disk Library for mainframe DLm8500 and DLm8700
Specifically, the vulnerable DD OS versions are:
– 7.7.1.0 through 8.3.0.10
– 7.13.1.0 through 7.13.1.20
– 7.10.1.0 through 7.10.1.50
Risk Assessment
The vulnerability allows authenticated users with low-privileged access from trusted remote clients to escalate their privileges and execute commands with root access. This could lead to unauthorized control over the affected systems, potentially compromising critical data and system integrity.
Remediation and Recommendations
Dell has promptly addressed this vulnerability by releasing patched versions of the affected software. Organizations utilizing the impacted systems are strongly advised to upgrade to the following remediated versions:
– For DD OS 8.3: Version 8.3.0.15 or later
– For DD OS 7.13.1: Version 7.13.1.25 or later
– For DD OS 7.10.1: Version 7.10.1.60 or later
For PowerProtect DP Series Appliance (IDPA) versions 2.7.6, 2.7.7, and 2.7.8, customers should upgrade to incorporate DD OS 7.10.1.60. Similarly, upgrades are required for the Disk Library for mainframe DLm8500 (Version 5.4.0.0 or later) and DLm8700 (Version 7.0.0.0 or later).
Security Implications
This is not the first time Dell’s PowerProtect products have faced security challenges. Previous vulnerabilities, such as CVE-2023-44277 and CVE-2024-22445, have also allowed for arbitrary command execution. The current vulnerability, CVE-2025-29987, is particularly concerning due to the potential for attackers to gain complete control over affected systems once exploited.
Conclusion
Organizations relying on Dell’s PowerProtect Data Domain systems must take immediate action to mitigate this critical vulnerability. By promptly applying the recommended updates, they can protect their data protection infrastructure from potential exploitation and maintain the integrity and security of their systems.
