CVE-2025-46644 is a vulnerability classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), affecting Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release versions 7.7.1.0 through 8.4.0.0, including specific LTS releases (LTS2025 8.3.1.10, LTS2024 7.13.1.0-7.13.1.40, LTS2023 7.10.1.0-7.10.1.70). The flaw arises from insufficient sanitization of inputs that are incorporated into OS commands, enabling a high-privileged attacker with local access to inject and execute arbitrary commands on the underlying operating system. This could lead to unauthorized modification or disruption of backup data and system operations. The vulnerability requires the attacker to have elevated privileges and local access, with no user interaction needed, which limits remote exploitation but still poses a significant risk in environments where local access is possible. The CVSS v3.1 base score is 6.0 (medium severity), reflecting the moderate ease of exploitation and significant impact on integrity and availability, but no confidentiality impact. No public exploits or active exploitation have been reported to date. The vulnerability affects critical backup and storage infrastructure, which is essential for data protection and business continuity in enterprise environments.

For European organizations, this vulnerability poses a risk primarily to data integrity and availability within backup and storage systems. Successful exploitation could allow attackers to execute arbitrary commands, potentially leading to data corruption, deletion, or disruption of backup services. This could severely impact disaster recovery capabilities and business continuity, especially in sectors such as finance, healthcare, government, and critical infrastructure that rely heavily on Dell PowerProtect Data Domain systems. Although remote exploitation is not feasible, insider threats or attackers who gain local administrative access could leverage this vulnerability to escalate their control or disrupt operations. The absence of confidentiality impact reduces the risk of data leakage but does not diminish the threat to operational stability and data reliability. Organizations with inadequate access controls or monitoring of privileged users are at higher risk.

1. Apply official patches or updates from Dell as soon as they become available for all affected versions of PowerProtect Data Domain with DD OS. 2. Restrict local administrative access strictly to trusted personnel and enforce the principle of least privilege to minimize the risk of exploitation by insiders or compromised accounts. 3. Implement robust monitoring and logging of privileged user activities on Data Domain systems to detect suspicious command execution attempts. 4. Use host-based intrusion detection systems (HIDS) to monitor for anomalous OS command executions. 5. Regularly audit and review access permissions and system configurations to ensure no unauthorized changes or backdoors exist. 6. Consider network segmentation to isolate backup infrastructure from general user networks, reducing the risk of lateral movement. 7. Educate administrators on the risks of OS command injection vulnerabilities and the importance of secure management practices. 8. If possible, deploy application whitelisting or command restrictions on the affected systems to prevent unauthorized command execution.