CVE-2025-36594
Published: 04 August 2025
Summary
CVE-2025-36594 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Dell Data Domain Operating System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-17 (Remote Access).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching of the authentication bypass vulnerability as provided in Dell DSA-2025-159 directly remediates the flaw, preventing remote unauthenticated exploitation.
Authorizes, monitors, and restricts remote access to the Data Domain system, mitigating unauthenticated remote attacker exploitation of the spoofing vulnerability.
Enforces identification and authentication for non-organizational users, countering spoofing-based authentication bypass by remote attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated auth bypass on public-facing Dell appliance directly enables T1190 exploitation and subsequent local account creation via T1136.001.
NVD Description
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.3.0.15, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release versions 7.10.1.0 through 7.10.1.60, contain an Authentication Bypass by Spoofing vulnerability. An unauthenticated…
more
attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Remote unauthenticated user can create account that potentially expose customer info, affect system integrity and availability.
Deeper analysisAI
CVE-2025-36594 is an Authentication Bypass by Spoofing vulnerability (CWE-290) affecting Dell PowerProtect Data Domain systems running Data Domain Operating System (DD OS). The issue impacts Feature Release versions 7.7.1.0 through 8.3.0.15, LTS 2024 release versions 7.13.1.0 through 7.13.1.25, and LTS 2023 release versions 7.10.1.0 through 7.10.1.60. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.
An unauthenticated attacker with remote network access can exploit this vulnerability to bypass authentication and protection mechanisms. Successful exploitation allows the attacker to create accounts, potentially exposing customer information and compromising system integrity and availability.
Dell Security Advisory DSA-2025-159 addresses this and other vulnerabilities in PowerProtect Data Domain, providing security updates for mitigation. Security practitioners should consult the advisory at https://www.dell.com/support/kbdoc/en-us/000348708/dsa-2025-159-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities for patching details and apply updates to affected versions.
Details
- CWE(s)