cnvd - cnvd-2025-15242

cnvd-2025-15242

Vulnerability from cnvd

Title: Dell PowerProtect Data Domain访问控制漏洞

Description:

Dell PowerProtect Data Domain是戴尔科技推出的数据保护存储设备，基于Data Domain平台构建，专为构建网络弹性基础和实现快速数据恢复设计。

Dell PowerProtect Data Domain存在访问控制漏洞，该漏洞源于访问控制粒度不足，攻击者可利用该漏洞以root权限执行任意命令。

Severity: 高

Patch Name: Dell PowerProtect Data Domain访问控制漏洞的补丁

Patch Description:

Dell PowerProtect Data Domain是戴尔科技推出的数据保护存储设备，基于Data Domain平台构建，专为构建网络弹性基础和实现快速数据恢复设计。

Dell PowerProtect Data Domain存在访问控制漏洞，该漏洞源于访问控制粒度不足，攻击者可利用该漏洞以root权限执行任意命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级程序修复该安全问题，详情见厂商官网： https://www.dell.com/support/kbdoc/en-us/000300899/dsa-2025-139-dell-technologies-powerprotect-data-domain-security-update-for-a-security-vulnerability

Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-29987

Impacted products

Name
DELL Dell PowerProtect Data Domain <8.3.0.15

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-29987",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-29987"
    }
  },
  "description": "Dell PowerProtect Data Domain\u662f\u6234\u5c14\u79d1\u6280\u63a8\u51fa\u7684\u6570\u636e\u4fdd\u62a4\u5b58\u50a8\u8bbe\u5907\uff0c\u57fa\u4e8eData Domain\u5e73\u53f0\u6784\u5efa\uff0c\u4e13\u4e3a\u6784\u5efa\u7f51\u7edc\u5f39\u6027\u57fa\u7840\u548c\u5b9e\u73b0\u5feb\u901f\u6570\u636e\u6062\u590d\u8bbe\u8ba1\u3002\n\nDell PowerProtect Data Domain\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8bbf\u95ee\u63a7\u5236\u7c92\u5ea6\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://www.dell.com/support/kbdoc/en-us/000300899/dsa-2025-139-dell-technologies-powerprotect-data-domain-security-update-for-a-security-vulnerability",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-15242",
  "openTime": "2025-07-07",
  "patchDescription": "Dell PowerProtect Data Domain\u662f\u6234\u5c14\u79d1\u6280\u63a8\u51fa\u7684\u6570\u636e\u4fdd\u62a4\u5b58\u50a8\u8bbe\u5907\uff0c\u57fa\u4e8eData Domain\u5e73\u53f0\u6784\u5efa\uff0c\u4e13\u4e3a\u6784\u5efa\u7f51\u7edc\u5f39\u6027\u57fa\u7840\u548c\u5b9e\u73b0\u5feb\u901f\u6570\u636e\u6062\u590d\u8bbe\u8ba1\u3002\r\n\r\nDell PowerProtect Data Domain\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8bbf\u95ee\u63a7\u5236\u7c92\u5ea6\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell PowerProtect Data Domain\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "DELL Dell PowerProtect Data Domain \u003c8.3.0.15"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-29987",
  "serverity": "\u9ad8",
  "submitTime": "2025-04-10",
  "title": "Dell PowerProtect Data Domain\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e"
}

CVE-2025-29987 (GCVE-0-2025-29987)

Vulnerability from cvelistv5

Published

2025-04-03 15:18

Modified

2025-04-05 03:55

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-1220 - Insufficient Granularity of Access Control

Summary

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this vulnerability to execute arbitrary commands with root privileges.

References

▼	URL	Tags
	https://www.dell.com/support/kbdoc/en-us/000300899/dsa-2025-139-dell-technologies-powerprotect-data-domain-security-update-for-a-security-vulnerability	vendor-advisory

Impacted products

Vendor

Product

Version

▼

Dell

DD OS 8.3

Version: 7.7.1.0 ≤ 8.3.0.10

Dell	DD OS 7.13	Version: 7.13.1.0 ≤ 7.13.1.20
Dell	DD OS 7.10	Version: 7.10.1.0 ≤ 7.10.1.50
Dell	PowerProtect DP Series Appliance (IDPA)	Version: N/A ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-29987",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-04T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-05T03:55:35.210Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DD OS 8.3",
          "vendor": "Dell",
          "versions": [
            {
              "lessThanOrEqual": "8.3.0.10",
              "status": "affected",
              "version": "7.7.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DD OS 7.13",
          "vendor": "Dell",
          "versions": [
            {
              "lessThanOrEqual": "7.13.1.20",
              "status": "affected",
              "version": "7.13.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DD OS 7.10",
          "vendor": "Dell",
          "versions": [
            {
              "lessThanOrEqual": "7.10.1.50",
              "status": "affected",
              "version": "7.10.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "PowerProtect DP Series Appliance (IDPA)",
          "vendor": "Dell",
          "versions": [
            {
              "lessThan": "2.7.8",
              "status": "affected",
              "version": "N/A",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-04-02T06:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this vulnerability to execute arbitrary commands with root privileges.\u003cbr\u003e"
            }
          ],
          "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this vulnerability to execute arbitrary commands with root privileges."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220: Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-03T15:18:06.144Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.dell.com/support/kbdoc/en-us/000300899/dsa-2025-139-dell-technologies-powerprotect-data-domain-security-update-for-a-security-vulnerability"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2025-29987",
    "datePublished": "2025-04-03T15:18:06.144Z",
    "dateReserved": "2025-03-13T05:03:56.322Z",
    "dateUpdated": "2025-04-05T03:55:35.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted