Overview
CVE-2025-43885 is a critical vulnerability that affects Dell PowerProtect Data Manager versions 19.19 and 19.20, specifically in Hyper-V environments. The vulnerability, referred to as an ‘OS Command Injection’, can be potentially exploited by a low privileged attacker with local access, leading to unauthorized command execution, which could lead to a system compromise or data leakage.
Vulnerability Summary
CVE ID: CVE-2025-43885
Severity: High (7.8)
Attack Vector: Local
Privileges Required: Low
User Interaction: Required
Impact: Unauthorized command execution leading potentially to system compromise or data leakage.
Affected Products
A new way to communicate
Ameeba Chat is built on encrypted identity, not personal profiles.
Message, call, share files, and coordinate with identities kept separate.
- • Encrypted identity
- • Ameeba Chat authenticates access
- • Aliases and categories
- • End-to-end encrypted chat, calls, and files
- • Secure notes for sensitive information
Private communication, rethought.
Product | Affected Versions
Dell PowerProtect Data Manager | 19.19
Dell PowerProtect Data Manager | 19.20
How the Exploit Works
The vulnerability occurs due to improper neutralization of special elements that are used in an OS command within the Hyper-V component of Dell PowerProtect Data Manager. An attacker with low privilege and local access could potentially exploit this vulnerability by injecting malicious OS commands, which the system would then execute.
Conceptual Example Code
A hypothetical example of how the vulnerability might be exploited is shown below:
$ echo "; malicious_command" > /path/to/vulnerable/input/fileIn this example, the malicious command is appended after a semicolon to the vulnerable input file, which is processed by the vulnerable application. The semicolon allows the attacker to execute additional commands following the intended command, leading to OS command injection.