Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
6DescriptionCVE.org
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.
AnalysisAI
Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.
Technical ContextAI
Session fixation (CWE-384) is an authentication bypass flaw where an attacker pre-sets or predicts a victim's session identifier before authentication, then reuses that known session after the victim logs in. In Dell PowerProtect Data Domain, the DD OS (a hardened operating system for backup deduplication appliances) fails to regenerate session tokens during authentication transitions. The vulnerability affects the Feature Release (FR) channel versions 8.4 and 8.5, suggesting a regression or incomplete security patch in those specific branches. High-privileged attackers (PR:H in CVSS vector) with network access (AV:N) exploit this by crafting malicious session tokens or intercepting pre-authentication session establishment, then leveraging the victim's authenticated context to access data management, replication, or administrative functions without re-authentication.
RemediationAI
Apply the Dell security update referenced in DSA-2026-060 (https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities) to upgrade DD OS beyond version 8.5. Exact patched version numbers should be confirmed from the Dell advisory; the update will include session token regeneration logic post-authentication. As a compensating control pending patch deployment, restrict administrative console access (SSH, Web UI) to trusted management networks via firewall ACLs-this limits the PR:H requirement by reducing the pool of high-privileged users who can reach the appliance. Disable or restrict remote access protocols (SSH port 22, HTTPS port 443) for the DD OS management interface to only authorized administrator subnets. Note this may impact remote backup job monitoring and troubleshooting, requiring temporary workarounds such as increased local logging or temporary VPN tunnels. Additionally, implement session timeout policies at the shortest acceptable operational interval (e.g., 30 minutes for idle sessions) to limit the window for session reuse exploitation.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-384 – Session Fixation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209519
GHSA-wx63-92xj-ggq5