CVE-2025-46605

MEDIUM
2026-04-17 dell
Authentication Bypass Dell Session Fixation Powerprotect Data Domain
6.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Apr 17, 2026 - 11:55 vuln.today

DescriptionNVD

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.

AnalysisAI

Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.

Technical ContextAI

Session fixation (CWE-384) is an authentication bypass flaw where an attacker pre-sets or predicts a victim's session identifier before authentication, then reuses that known session after the victim logs in. In Dell PowerProtect Data Domain, the DD OS (a hardened operating system for backup deduplication appliances) fails to regenerate session tokens during authentication transitions. The vulnerability affects the Feature Release (FR) channel versions 8.4 and 8.5, suggesting a regression or incomplete security patch in those specific branches. High-privileged attackers (PR:H in CVSS vector) with network access (AV:N) exploit this by crafting malicious session tokens or intercepting pre-authentication session establishment, then leveraging the victim's authenticated context to access data management, replication, or administrative functions without re-authentication.

RemediationAI

Apply the Dell security update referenced in DSA-2026-060 (https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities) to upgrade DD OS beyond version 8.5. Exact patched version numbers should be confirmed from the Dell advisory; the update will include session token regeneration logic post-authentication. As a compensating control pending patch deployment, restrict administrative console access (SSH, Web UI) to trusted management networks via firewall ACLs-this limits the PR:H requirement by reducing the pool of high-privileged users who can reach the appliance. Disable or restrict remote access protocols (SSH port 22, HTTPS port 443) for the DD OS management interface to only authorized administrator subnets. Note this may impact remote backup job monitoring and troubleshooting, requiring temporary workarounds such as increased local logging or temporary VPN tunnels. Additionally, implement session timeout policies at the shortest acceptable operational interval (e.g., 30 minutes for idle sessions) to limit the window for session reuse exploitation.

Share

CVE-2025-46605 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy