CVE-2025-36594 is a critical authentication bypass vulnerability affecting Dell PowerProtect Data Domain systems running specific versions of the Data Domain Operating System (DD OS), specifically Feature Release versions 7.7.1.0 through 8.3.0.15, LTS2024 releases 7.13.1.0 through 7.13.1.25, and LTS2023 releases 7.10.1.0 through 7.10.1.60. The vulnerability is categorized under CWE-290, which relates to authentication bypass by spoofing. An unauthenticated remote attacker can exploit this flaw without any user interaction or prior privileges. Exploitation allows the attacker to bypass protection mechanisms, create unauthorized accounts, and potentially gain access to sensitive customer information. This can severely compromise system integrity and availability, as the attacker could manipulate or disrupt backup and data protection processes managed by PowerProtect Data Domain appliances. The CVSS v3.1 base score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with the ease of remote exploitation without authentication or user interaction. No public exploits are currently known in the wild, but the severity and nature of the vulnerability make it a high-risk issue for organizations relying on these systems for data backup and protection.

For European organizations, the impact of this vulnerability is significant due to the widespread use of Dell PowerProtect Data Domain appliances in enterprise backup and disaster recovery environments. Successful exploitation could lead to unauthorized access to backup data, exposing sensitive personal and corporate information protected under GDPR and other privacy regulations. Integrity of backup data could be compromised, leading to potential data corruption or loss, which would disrupt business continuity and recovery efforts. Availability could also be affected if attackers disable or manipulate backup services, increasing downtime and operational risk. Given the critical role of data protection systems, this vulnerability poses a direct threat to compliance, operational resilience, and trustworthiness of IT infrastructure in sectors such as finance, healthcare, government, and critical infrastructure across Europe.

Organizations should immediately identify and inventory affected Dell PowerProtect Data Domain systems running vulnerable DD OS versions. Since no patches are currently linked, it is crucial to engage Dell support for any available security updates or workarounds. In the interim, restrict remote access to management interfaces of affected systems using network segmentation, firewalls, and VPNs to limit exposure to untrusted networks. Implement strict monitoring and logging of authentication attempts and account creations on these appliances to detect suspicious activities early. Employ multi-factor authentication (MFA) where supported to add an additional layer of security. Regularly review and audit user accounts and permissions on the affected systems. Additionally, ensure that backup data is encrypted at rest and in transit to mitigate data exposure risks. Prepare incident response plans specifically addressing potential compromise of backup infrastructure.