CVE-2025-22475
Published: 04 February 2025
Summary
CVE-2025-22475 is a low-severity Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) vulnerability in Dell Data Domain Operating System. Its CVSS base score is 3.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates use of FIPS-validated cryptographic modules for protection, directly mitigating risky implementations of cryptographic primitives that enable tampering.
Requires timely remediation of flaws like CVE-2025-22475 through patching to upgraded versions, eliminating the vulnerability.
Monitors for unauthorized changes to software and information, enabling detection of tampering resulting from exploitation of the cryptographic flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network-exploitable vulnerability in Dell PowerProtect DD system with no auth or interaction required directly enables T1190 for initial access via public-facing application exploitation; crypto weakness facilitates tampering impact.
NVD Description
Dell PowerProtect DD, versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.10 contains a use of a Cryptographic Primitive with a Risky Implementation vulnerability. A remote attacker could potentially exploit this vulnerability, leading to Information tampering.
Deeper analysisAI
CVE-2025-22475 is a use of a Cryptographic Primitive with a Risky Implementation vulnerability, associated with CWE-1240 and CWE-327, affecting Dell PowerProtect DD systems. The vulnerability impacts versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.10.
A remote attacker could potentially exploit this vulnerability over the network, with high attack complexity, no required privileges, and no user interaction. Successful exploitation could lead to information tampering, with a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Dell's security advisory DSA-2025-022, available at https://www.dell.com/support/kbdoc/en-us/000279157/dsa-2025-022-security-update-for-dell-powerprotect-dd-multiple-vulnerabilities, details security updates for Dell PowerProtect DD that address this and other vulnerabilities, recommending upgrades to the specified fixed versions.
Details
- CWE(s)