Description
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.
Published: 2026-04-20
Score: 7.2 High
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in Dell PowerProtect Data Domain’s Data Domain Operating System (DD OS). The weakness, designated CWE‑78, allows a high‑privileged attacker who has remote access to execute arbitrary operating system commands, which can lead to full compromise of the affected appliance.

Affected Systems

The vulnerability affects Dell PowerProtect Data Domain appliances running DD OS Feature Release versions 7.7.1.0 through 8.5, LTS2025 release versions 8.3.1.0 through 8.3.1.10, and LTS2024 release versions 7.13.1.0 through 7.13.1.40. These cover a broad range of deployment sizes in enterprise backup environments.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score of 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits yet. The likely attack vector is inferred to be through remote management interfaces, where a privileged attacker could inject and execute shell commands.

Generated by OpenCVE AI on June 18, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell PowerProtect Data Domain OS patch released in DSA‑2026‑060 to all affected Feature Release, LTS2025, and LTS2024 versions.
  • If a patch is not available for a specific version, plan an upgrade to a newer DD OS release that does not contain this flaw.
  • Restrict remote management traffic to trusted networks and enforce strong authentication so that only authorized personnel can access privileged interfaces.

Generated by OpenCVE AI on June 18, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Dell PowerProtect Data Domain Leading to Remote Command Execution

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Dell PowerProtect Data Domain Leading to Remote Command Execution

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in Dell PowerProtect Data Domain OS

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Dell data Domain Operating System
Dell powerprotect Dp Series Appliance
CPEs cpe:2.3:a:dell:powerprotect_dp_series_appliance:*:*:*:*:*:*:*:*
cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*
Vendors & Products Dell data Domain Operating System
Dell powerprotect Dp Series Appliance

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in Dell PowerProtect Data Domain OS
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Data Domain Operating System Powerprotect Data Domain Powerprotect Dp Series Appliance
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-22T03:55:57.514Z

Reserved: 2026-01-16T06:05:50.872Z

Link: CVE-2026-23774

cve-icon Vulnrichment

Updated: 2026-04-20T16:18:01.123Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T16:16:41.213

Modified: 2026-06-17T10:22:05.437

Link: CVE-2026-23774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:00:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')