Dell Technologies has issued a critical security advisory (DSA-2025-139) warning of a high-severity vulnerability in PowerProtect Data Domain systems that could allow authenticated remote attackers to execute arbitrary commands with root privileges.
The vulnerability, tracked as CVE-2025-29987, affects multiple versions of the Data Domain Operating System (DD OS) and requires immediate patching.
Vulnerability Details
The security flaw stems from insufficient granularity of access control within Dell PowerProtect Data Domain systems running DD OS versions before 8.3.0.15.
Security researchers have identified that authenticated users from trusted remote clients could exploit this vulnerability to gain complete system control through arbitrary command execution with root privileges.
With a CVSS base score of 8.8 (High), this vulnerability represents a significant risk to enterprise data protection systems.
The complete CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, low attack complexity, and high impacts to confidentiality, integrity, and availability.
The Exploit Prediction Scoring System (EPSS) currently rates the probability of exploitation activity in the next 30 days at 0.06%, placing it around the 16th percentile of vulnerabilities.
However, given the high potential impact, immediate remediation is strongly recommended.
Affected Products and Systems
The vulnerability impacts a wide range of Dell PowerProtect products:
| Product | Affected Versions | Remediated Versions |
|---|---|---|
| DD OS 8.3 | 7.7.1.0 through 8.3.0.10 | 8.3.0.15 or later |
| DD OS 7.13.1 (LTS2024) | 7.13.1.0 through 7.13.1.20 | 7.13.1.25 or later |
| DD OS 7.10.1 (LTS2023) | 7.10.1.0 through 7.10.1.50 | 7.10.1.60 or later |
| PowerProtect DP Series Appliance | 2.7.6, 2.7.7, and 2.7.8 | Same with DD OS 7.10.1.60 |
| Disk Library for mainframe DLm8500/8700 | 5.4.0.0/7.0.0.0 | Same with DD OS 7.10.1.60 |
Affected appliances include Dell PowerProtect Data Domain series appliances, Dell PowerProtect Data Domain Virtual Edition, and Dell APEX Protection Storage.
Remediation Steps
Dell has released patched versions of the affected software to address this vulnerability.
System administrators should immediately upgrade to the remediated versions specified in the table above.
For PowerProtect DP Series Appliance (IDPA) users, Dell notes that systems running versions 2.7.6, 2.7.7, and 2.7.8 must have their DD OS upgraded to version 7.10.1.60.
The upgrade process involves downloading the appropriate package from Dell’s support site, uploading it through the Data Domain System Manager, and following the standard upgrade procedures.
Dell provides comprehensive documentation for this process, including:
- Checking system requirements and compatibility
- Performing pre-upgrade checks
- Uploading and installing the upgrade package
- Conducting post-upgrade verification
Security Impact
If left unpatched, this vulnerability could lead to complete system compromise, potentially enabling attackers to gain unauthorized access to backed-up data, disrupt backup operations, or use the compromised system as a pivot point for further network intrusion.
Organizations using affected Dell PowerProtect Data Domain systems should prioritize applying these security updates as part of their vulnerability management program.
Dell’s advisory also notes that certain security scanners may generate false positive detections even after upgrading to remediated versions.
Dell customers with ProSupport Plus, ProSupport Mission Critical, or Premium service levels can request assistance from Dell’s software upgrade experts to perform the upgrade remotely[5].
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The vulnerability, tracked as CVE-2025-29987, affects multiple versions of the Data Domain Operating System (DD OS) and requires immediate patching.){kind=link}