A critical vulnerability, tracked as CVE-2025-29987, has been discovered in Dell Technologies' PowerProtect Data Domain systems, posing a serious security threat to enterprise backup and recovery infrastructure. This high-severity flaw, with a CVSS v3.1, affects several versions of the Data Domain Operating System (DD OS) prior to 8.3.0.15.

According to the Researcher, vulnerability arises from insufficient granularity of access controls, allowing an authenticated, low-privileged user from a trusted remote client to execute arbitrary commands with root privileges, essentially giving them full control over affected systems. This could lead to data loss, malware injection, or lateral movement within enterprise networks.

The vulnerability impacts a wide array of Dell products, including PowerProtect Data Domain appliances, Virtual Edition, APEX Protection Storage, PowerProtect DP Series Appliance (IDPA) (versions 2.7.6–2.7.8), and Disk Library for mainframe DLm8500 and DLm8700. Affected DD OS versions include 7.7.1.0 to 8.3.0.10, 7.13.1.0 to 7.13.1.20, and 7.10.1.0 to 7.10.1.50. The exploitability score of 2.8 and an impact score of 5.9 indicate the flaw's high risk if not promptly mitigated.

To address the issue, Dell has released patched versions: DD OS 8.3.0.15, 7.13.1.25, and 7.10.1.60 for their respective product lines. For IDPA systems, upgrading to include DD OS 7.10.1.60 is necessary, while the Disk Library for mainframe requires updates to Version 5.4.0.0 or later for DLm8500, and Version 7.0.0.0 or later for DLm8700. Dell has been actively updating its security advisories, with six revisions between April 2 and 4, 2025, offering step-by-step upgrade instructions and clarifications.

This is not the first time Dell’s backup infrastructure has faced severe vulnerabilities; past issues, such as CVE-2023-44277 and CVE-2024-22445, also enabled command execution risks. However, CVE-2025-29987 is especially concerning due to the elevated privileges granted upon exploitation. Organizations using vulnerable systems—especially those handling sensitive or regulated data—must prioritize patching immediately to prevent exploitation, data breaches, and further security compromise.