CVE-2025-36567 is an OS command injection vulnerability identified in Dell PowerProtect Data Domain systems running the Data Domain Operating System (DD OS) across multiple versions, including Feature Release versions 7.7.1.0 through 8.1.0.10 and LTS releases 7.13.1.0 through 7.13.1.25 and 7.10.1.0 through 7.10.1.50. The vulnerability stems from improper neutralization of special characters in OS commands (classified under CWE-78), which allows a high-privileged attacker with local access to inject and execute arbitrary commands on the underlying operating system. This can lead to privilege escalation to root, compromising the entire system. The attack vector requires local access and high privileges but does not require user interaction, making it a targeted threat primarily from insiders or attackers who have already breached perimeter defenses. The vulnerability affects critical backup and data protection infrastructure, potentially impacting data confidentiality, integrity, and availability. The CVSS v3.1 score of 6.7 reflects a medium severity rating, balancing the high impact with the requirement for local high-privilege access. No public exploits have been reported, but the risk remains significant due to the critical nature of the affected systems. Dell has not yet published patches or mitigations at the time of this report, so organizations must rely on access controls and monitoring to reduce risk.

For European organizations, this vulnerability poses a significant risk to data protection and backup infrastructure, which are critical for business continuity and regulatory compliance (e.g., GDPR). Successful exploitation could lead to unauthorized access to sensitive backup data, data corruption, or complete system compromise, undermining trust and operational resilience. The requirement for local high-privilege access limits remote exploitation but increases the threat from insider attacks or attackers who have gained initial footholds. Disruption or compromise of backup systems can have cascading effects on incident response and disaster recovery capabilities. Organizations in sectors with stringent data protection requirements such as finance, healthcare, and government are particularly vulnerable. The medium severity rating suggests prioritization in patch management cycles but not immediate emergency response unless combined with other vulnerabilities or active exploitation.

1. Restrict local access to Dell PowerProtect Data Domain systems strictly to trusted administrators and personnel. 2. Implement strong authentication and session monitoring to detect unauthorized access attempts. 3. Apply principle of least privilege to limit high-privilege accounts and regularly audit their usage. 4. Monitor system logs and command execution traces for unusual activity indicative of command injection attempts. 5. Segregate backup infrastructure networks from general enterprise networks to reduce attack surface. 6. Stay alert for Dell security advisories and apply patches promptly once released. 7. Employ host-based intrusion detection systems (HIDS) to detect anomalous command executions. 8. Conduct regular security training for administrators to recognize and report suspicious behavior. 9. Consider deploying application whitelisting or command filtering mechanisms if supported by the DD OS environment. 10. Maintain offline, immutable backups to ensure recovery capability in case of compromise.