CVE-2025-43889 in PowerProtect Data Domain with Data Domain Operating System of Feature Release
Summary
by MITRE • 10/07/2025
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4, LTS2024 release Versions 7.13.1.0 through 7.13.1.30, LTS 2023 release versions 7.10.1.0 through 7.10.1.60, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/15/2025
The vulnerability identified as CVE-2025-43889 represents a critical path traversal flaw within Dell PowerProtect Data Domain systems running specific operating system versions. This weakness exists in the web user interface component of the Data Domain Operating System, creating an exploitable condition that allows unauthorized remote access to system resources. The affected versions span multiple release branches including Feature Release 7.7.1.0 through 8.4, LTS2024 release versions 7.13.1.0 through 7.13.1.30, and LTS 2023 release versions 7.10.1.0 through 7.10.1.60, indicating a widespread impact across multiple supported software lines.
This path traversal vulnerability falls under CWE-22, which specifically addresses improper limitation of pathname to restricted directory conditions. The flaw occurs when the web interface fails to properly validate or sanitize user-supplied input that influences file system operations. An attacker can manipulate the application's handling of file paths to traverse directories outside the intended restricted areas, potentially accessing sensitive system files, configuration data, or other restricted resources that should not be publicly accessible. The vulnerability's classification as a path traversal issue means it operates by exploiting the underlying operating system's file access mechanisms through carefully crafted input sequences.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides potential attackers with unauthorized access to critical system components that may contain sensitive data or system configurations. Remote exploitation without authentication creates a particularly dangerous scenario where malicious actors can access system resources from outside the network perimeter. This vulnerability compromises the integrity of the system's access controls and could potentially lead to further exploitation opportunities, including privilege escalation or complete system compromise depending on the specific files and directories that become accessible through the traversal path.
Organizations utilizing affected Dell PowerProtect Data Domain systems should implement immediate mitigations including network segmentation to limit access to the web interface, applying the latest security patches provided by Dell, and implementing additional monitoring controls to detect anomalous access patterns. The vulnerability aligns with ATT&CK technique T1071.004 for application layer protocol usage and T1566 for credential access through web applications. Security teams should also consider implementing web application firewalls and access control measures to restrict direct access to the affected system interfaces while maintaining operational functionality. The affected systems require urgent patching to address the path traversal vulnerability and restore proper directory traversal restrictions.