Description
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.
Published: 2026-04-17
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Remote Access
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a session fixation flaw that allows an attacker with high privileged remote access to hijack a user session, enabling unauthorized access to the system. This flaw can let the attacker gain control over the Data Domain operating system and potentially exfiltrate or alter data, compromising confidentiality and integrity.

Affected Systems

Dell PowerProtect Data Domain running Data Domain Operating System Feature Release 8.4 through 8.5 is affected. All instances of these versions should be considered vulnerable until patched.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity, and the EPSS score is not available, suggesting no current data on exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The attack vector appears to be remote and requires high privileged access; no publicly disclosed exploit is known, but the flaw could be used for credential‑less session hijacking under the stated conditions.

Generated by OpenCVE AI on April 18, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell PowerProtect Data Domain operating system update from the DSA‑2026‑060 security update, which addresses the session fixation vulnerability.
  • Verify that the updated system no longer reports session fixation in logs and that session tokens are properly invalidated after logout.
  • As a temporary measure, restrict remote management access to the affected systems and enforce multi‑factor authentication to mitigate exploitation risk until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell data Domain Operating System
CPEs cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*
Vendors & Products Dell data Domain Operating System

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Title Session Fixation Vulnerability in Dell PowerProtect Data Domain

Fri, 17 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Fri, 17 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.
Weaknesses CWE-384
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Dell Data Domain Operating System Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-20T14:06:10.099Z

Reserved: 2025-04-25T05:03:51.784Z

Link: CVE-2025-46605

cve-icon Vulnrichment

Updated: 2026-04-17T14:30:23.184Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T12:16:31.843

Modified: 2026-05-08T14:06:04.960

Link: CVE-2025-46605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses