Description
Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Published: 2026-04-20
Score: 6.7 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dell PowerProtect Data Domain versions 8.5 through 8.6 contain a command injection flaw that allows a high‑privileged attacker with remote access to run arbitrary commands as root. The vulnerability stems from unsanitized input being included in a shell command, which can be exploited to execute any code the attacker wishes, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

Dell PowerProtect Data Domain versions 8.5 and 8.6, including all minor releases derived from those code bases.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate‑to‑high severity. The EPSS score of 0.01159% suggests a low but non‑negligible likelihood of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector requires a high‑privileged network user with remote access; from that position an attacker can submit crafted requests that trigger the command injection and obtain root privileges.

Generated by OpenCVE AI on June 18, 2026 at 13:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Limit remote network access to the PowerProtect appliance by enforcing firewalls, VPNs, and least‑privilege account policies.
  • Enable logging and continuous monitoring of system commands and privilege‑elevating activities to detect anomalous behavior.
  • Check Dell support for the latest patch for PowerProtect Data Domain and apply it as soon as it becomes available.

Generated by OpenCVE AI on June 18, 2026 at 13:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Command Injection in Dell PowerProtect Data Domain 8.5-8.6 Allows Remote Root Execution

Wed, 17 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Title Command Injection in Dell PowerProtect Data Domain 8.5-8.6 Allows Remote Root Execution

Tue, 16 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Title Command Injection in Dell PowerProtect Data Domain Enabling Remote Root Execution

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell data Domain Operating System
Dell powerprotect Dp Series Appliance
CPEs cpe:2.3:a:dell:powerprotect_dp_series_appliance:*:*:*:*:*:*:*:*
cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*
Vendors & Products Dell data Domain Operating System
Dell powerprotect Dp Series Appliance

Mon, 20 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Title Command Injection in Dell PowerProtect Data Domain Enabling Remote Root Execution

Mon, 20 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Data Domain Operating System Powerprotect Data Domain Powerprotect Dp Series Appliance
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-22T03:56:06.445Z

Reserved: 2026-01-09T18:05:08.763Z

Link: CVE-2026-22761

cve-icon Vulnrichment

Updated: 2026-04-20T18:00:30.415Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T17:16:31.053

Modified: 2026-06-17T10:20:22.807

Link: CVE-2026-22761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:30:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')