{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-46606", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2025-04-25T05:03:51.784Z", "datePublished": "2026-04-17T11:36:54.469Z", "dateUpdated": "2026-04-18T03:55:33.318Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-17T11:36:54.469Z"}, "datePublic": "2026-04-15T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "affected": [{"vendor": "Dell", "product": "PowerProtect Data Domain", "versions": [{"status": "affected", "version": "0", "lessThan": "8.6.0.0 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access."}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.2, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-46606"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-18T03:55:33.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46606", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T16:36:49.734446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T16:36:55.520Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "PowerProtect Data Domain", "versions": [{"status": "affected", "version": "0", "lessThan": "8.6.0.0 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-15T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.", "supportingMedia": [{"type": "text/html", "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-17T11:36:54.469Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46606", "state": "PUBLISHED", "dateUpdated": "2026-04-18T03:55:33.318Z", "dateReserved": "2025-04-25T05:03:51.784Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-04-17T11:36:54.469Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB7229F8-52FA-4351-ADA7-B2F42940FAC1", "versionEndExcluding": "8.6.0.0", "versionStartIncluding": "8.4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access."}], "id": "CVE-2025-46606", "lastModified": "2026-05-08T14:04:38.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.5, "source": "security_alert@emc.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-17T12:16:31.967", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.6.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PowerProtect Data Domain", "source": "cna", "vendor": "Dell"}, "product": "powerprotect_data_domain", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-18T19:27:32.145390+00:00", "value": {"mitigation_remediation": ["Download and install Dell PowerProtect Data Domain update DSA\u20112026\u2011060 from Dell\u2019s support site to address the authentication restriction flaw.", "Ensure the Data Domain OS is upgraded to a version that implements proper login attempt limits, such as version 8.6 or later.", "If an immediate update is not feasible, configure local firewall rules or DD OS settings to throttle repeated authentication attempts and monitor authentication logs for suspicious activity."], "summary": {"action": "Patch Now", "impact": "Unauthorized remote access"}, "threat_synthesis": {"affected_systems": "Dell PowerProtect Data Domain with Data Domain Operating System feature releases 8.4 and 8.5 are affected.", "description_and_impact": "A flaw in Dell PowerProtect Data Domain operating systems 8.4 through 8.5 allows a high\u2011privileged attacker to exploit an improper restriction of excessive authentication attempts, enabling the attacker to gain unauthorized access to the control plane. The vulnerability permits repeated authentication attempts without a lockout or rate\u2011limit, which can be leveraged to brute\u2011force credentials and elevate access on the system. The weakness is identified as CWE\u2011307 (Improper Restriction of Excessive Authentication Attempts).", "risk_and_exploitability": "The CVSS score of 6.2 indicates a medium severity, the EPSS score is less than 1%, and the vulnerability is not listed in CISA KEV. The attack vector is remote, requiring network access to the DD OS and high privileges to make full use of the authentication bypass. Because the flaw is a lack of lockout or rate limiting, an attacker can repeatedly attempt login credentials, potentially discovering valid credentials and gaining unauthorized control of the device."}}}}, "created": "2026-04-17T13:30:19.438216+00:00", "title": "Improper Restriction of Excessive Authentication Attempts in Dell PowerProtect Data Domain OS", "updated": "2026-04-18T19:30:08.942581+00:00", "vendors": ["dell", "dell$PRODUCT$powerprotect_data_domain"]}