CVE-2025-43938
📋 TL;DR
Dell PowerProtect Data Manager versions 19.19 and 19.20 for Hyper-V store passwords in plaintext, allowing high-privileged local attackers to steal credentials. This could lead to unauthorized access with the compromised account's privileges. Only users running these specific versions with Hyper-V are affected.
💻 Affected Systems
- Dell PowerProtect Data Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative access to the PowerProtect Data Manager system and potentially connected infrastructure using stolen credentials.
Likely Case
Local administrator or privileged user steals credentials to escalate privileges or access sensitive backup data.
If Mitigated
Limited credential exposure with minimal impact due to strong access controls and monitoring.
🎯 Exploit Status
Requires local high-privileged access to locate and read plaintext password storage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 19.21 or later
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000367456/dsa-2025-326-security-update-for-dell-powerprotect-data-manager-multiple-security-vulnerabilities
Restart Required: No
Instructions:
1. Download the latest PowerProtect Data Manager update from Dell Support. 2. Follow Dell's upgrade documentation for your deployment. 3. Apply the update through the PowerProtect Data Manager interface.
🔧 Temporary Workarounds
Restrict local access
allLimit local administrator access to PowerProtect Data Manager servers to only essential personnel.
🧯 If You Can't Patch
- Implement strict access controls and monitoring for all local administrator accounts on affected systems.
- Regularly audit and rotate credentials stored by PowerProtect Data Manager.
🔍 How to Verify
Check if Vulnerable:
Check PowerProtect Data Manager version in the web interface under Settings > About. If version is 19.19 or 19.20 with Hyper-V, system is vulnerable.Check Version:
Not applicable - version check is through web interface only.Verify Fix Applied:
Confirm version is 19.21 or later in Settings > About after applying update.📡 Detection & Monitoring
Log Indicators:
- Unusual local file access patterns on PowerProtect servers
- Multiple failed login attempts followed by successful login with previously unused credentials
Network Indicators:
- Unusual authentication requests from PowerProtect server to other systems
SIEM Query:
source="PowerProtect" AND (event_type="file_access" AND file_path="*password*" OR event_type="authentication" AND result="success" AND user_changed=true)