Dell reports seven critical flaws in PowerProtect Data Domain (DD) systems

Dell has released a critical security advisory (DSA-2025-022) addressing seven critical vulnerabilities in PowerProtect Data Domain (DD) systems. These vulnerabilities could lead to privilege escalation, unauthorized system access, denial of service, or data exfiltration in affected PowerProtect DD systems.

Critical vulnerabilities:

• CVE-2024-41110 (CVSS score 9.9) - (Docker): Allows container escape and unauthorized host system access
• CVE-2024-24790 (CVSS score 9.8) - (HTTP protocol library): Permits DoS and man-in-the-middle attacks
• CVE-2024-24577 (CVSS score 9.8) - (libgit2): Allows remote code execution and repository tampering
• CVE-2018-6913 (CVSS score 9.8) - (Perl): Enables arbitrary code execution through legacy dependencies
• CVE-2024-37371 (CVSS score 9.1) - (Kerberos krb5): Enables authentication bypass
• CVE-2024-38428 (CVSS score 9.1) - (GNU Wget): Enables malicious script execution and data download compromise
• CVE-2024-33871 (CVSS score 8.8) - (Artifex Ghostscript): Enables potential code execution and system compromise

The presence of a critical vulnerability from 2018 (CVE-2018-6913) indicates potential legacy dependency issues within the ecosystem.

Dell has released patches to address these vulnerabilities and recommends immediate application of updates through their official support portal. System administrators should also conduct environment reviews for potential exploitation indicators and maintain vigilance for future updates.

Affected Products
Data Domain, DD OS, DD OS 7.10, DD OS 7.11, DD OS 7.12, DD OS 7.13, DD OS 7.2, DD OS 7.7, DD OS 7.8, DD OS 7.9, DD OS 8.1, DD OS 8.3, DD OS 8.0, DD OS Licensed Features, Data Domain Virtual Edition, PowerProtect Data Domain Management Center

No information is disclosed about any active exploits in the wild or the number of potentially affected systems.