Description
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.
Published: 2026-04-20
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw is present in Dell PowerProtect Data Domain’s Data Domain Operating System (DD OS). The weakness, identified as CWE‑78, permits a high‑privileged attacker who has remote network access to execute arbitrary operating system commands. Successful exploitation can lead to full compromise of the affected appliance, enabling data exfiltration, service disruption, or further lateral movement within the network.

Affected Systems

The vulnerability affects Dell PowerProtect Data Domain appliances running DD OS Feature Release versions 7.7.1.0 through 8.5, LTS2025 release versions 8.3.1.0 through 8.3.1.10, and LTS2024 release versions 7.13.1.0 through 7.13.1.40. These cover a broad range of deployment sizes in enterprise backup environments.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score is currently unavailable, so the exploitation probability cannot be quantified at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits yet. The likely attack vector is through remote management interfaces, where a privileged attacker could inject and execute shell commands.

Generated by OpenCVE AI on April 20, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell PowerProtect Data Domain OS patch released in DSA‑2026‑060 to all affected Feature Release, LTS2025, and LTS2024 versions.
  • If a patch is not available for a specific version, plan an upgrade to a newer DD OS release that does not contain this flaw.
  • Restrict remote management traffic to trusted networks and enforce strong authentication so that only authorized personnel can access privileged interfaces.

Generated by OpenCVE AI on April 20, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in Dell PowerProtect Data Domain OS
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-20T16:20:28.039Z

Reserved: 2026-01-16T06:05:50.872Z

Link: CVE-2026-23774

cve-icon Vulnrichment

Updated: 2026-04-20T16:18:01.123Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T16:16:41.213

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-23774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses