Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-43891

CVE-2025-43891: Dell Data Domain OS Info Disclosure Flaw

CVE-2025-43891 is an information disclosure vulnerability in Dell Data Domain Operating System caused by weak cryptographic algorithms. Unauthenticated attackers can exploit this remotely. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-43891 Overview

CVE-2025-43891 affects Dell PowerProtect Data Domain systems running Data Domain Operating System (DD OS). The flaw resides in the authentication component, where a broken or risky cryptographic algorithm [CWE-327] weakens protection of sensitive data. An unauthenticated remote attacker can exploit this weakness to obtain information that should remain confidential.

The vulnerability impacts multiple release trains, including Feature Release versions 7.7.1.0 through 8.3.0.15, LTS2025 release 8.3.1.0, LTS2024 releases 7.13.1.0 through 7.13.1.30, and LTS2023 releases 7.10.1.0 through 7.10.1.60. Dell published advisory DSA-2025-333 to address this issue.

Critical Impact

Unauthenticated remote attackers can exploit weak cryptography in DD OS authentication to disclose sensitive information without user interaction.

Affected Products

  • Dell PowerProtect Data Domain with DD OS Feature Release versions 7.7.1.0 through 8.3.0.15
  • Dell PowerProtect Data Domain with DD OS LTS2025 release version 8.3.1.0 and LTS2024 versions 7.13.1.0 through 7.13.1.30
  • Dell PowerProtect Data Domain with DD OS LTS2023 versions 7.10.1.0 through 7.10.1.60

Discovery Timeline

  • 2025-10-07 - CVE-2025-43891 published to NVD
  • 2025-10-14 - Last updated in NVD database

Technical Details for CVE-2025-43891

Vulnerability Analysis

The vulnerability stems from the use of a broken or risky cryptographic algorithm within the authentication subsystem of DD OS. When cryptographic primitives are weak or outdated, attackers can recover plaintext, forge values, or otherwise undermine the security guarantees the algorithm is meant to provide. In this case, the weakness produces a confidentiality impact, allowing information disclosure over the network.

The issue is reachable without authentication and without user interaction. An attacker with network access to the Data Domain appliance can interact with the authentication flow and leverage the weak cryptography to extract sensitive data. The attack does not require local access, elevated privileges, or social engineering.

Root Cause

The root cause is classified under [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. Dell's advisory describes the defect as residing in authentication handling within DD OS. Weak algorithms in authentication paths can expose key material, password-equivalent values, session tokens, or other authentication artifacts to attackers who can observe or interact with the protocol.

Attack Vector

Exploitation requires network reachability to the management or authentication interface of an affected PowerProtect Data Domain appliance. Because Data Domain systems often store backup data and credentials for backup workflows, any disclosed authentication material could enable secondary attacks against backup infrastructure, including impersonation of legitimate clients or services. No verified public proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified public exploit code is available. See the Dell Security Update DSA-2025-333 for technical details.

Detection Methods for CVE-2025-43891

Indicators of Compromise

  • Unexpected authentication attempts or session activity on DD OS management interfaces from untrusted networks.
  • Use of deprecated cryptographic algorithms or cipher suites observed in TLS or authentication handshakes against the appliance.
  • Anomalous data egress from backup management subnets following authentication exchanges with Data Domain systems.

Detection Strategies

  • Inventory all PowerProtect Data Domain appliances and compare running DD OS versions against the affected ranges in DSA-2025-333.
  • Inspect network traffic to and from DD OS management interfaces for use of legacy protocols or weak cipher suites.
  • Correlate authentication events on DD OS with source IPs outside expected administrative networks.

Monitoring Recommendations

  • Forward DD OS audit and authentication logs to a centralized SIEM for review of failed logins, configuration changes, and certificate or key operations.
  • Alert on connections to Data Domain management ports from networks that are not part of the documented backup administration zone.
  • Monitor for changes to administrative accounts, API tokens, or service credentials originating from Data Domain workflows.

How to Mitigate CVE-2025-43891

Immediate Actions Required

  • Apply the DD OS updates referenced in Dell Security Update DSA-2025-333 to all affected Data Domain appliances.
  • Restrict network access to DD OS management interfaces using firewalls, ACLs, or dedicated management VLANs until patching is complete.
  • Rotate administrative credentials, API tokens, and any shared secrets used by backup workflows after upgrading.

Patch Information

Dell has released fixed versions through advisory DSA-2025-333. Administrators should upgrade beyond DD OS Feature Release 8.3.0.15, apply the fix for LTS2025 release 8.3.1.0, and move beyond LTS2024 7.13.1.30 and LTS2023 7.10.1.60 to remediated builds as listed in the vendor advisory.

Workarounds

  • Limit exposure of DD OS authentication interfaces to trusted administrative networks only, blocking access from general user subnets and the internet.
  • Enforce jump-host or bastion access for all administrative connections to Data Domain appliances.
  • Disable or restrict legacy authentication protocols and cipher suites on adjacent network infrastructure where supported.
bash
# Configuration example: restrict management access to Data Domain appliances
# Replace interface, subnet, and management IP with values for your environment

# Example iptables rule on an upstream gateway allowing only the admin subnet
iptables -A FORWARD -s 10.10.20.0/24 -d 10.50.0.10 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.50.0.10 -p tcp --dport 443 -j DROP

# Verify Data Domain version after patching
ssh sysadmin@dd-appliance "system show version"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.