Description
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.
Published: 2026-04-20
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw is present in Dell PowerProtect Data Domain’s Data Domain Operating System (DD OS). The weakness, identified as CWE‑78, permits a high‑privileged attacker who has remote network access to execute arbitrary operating system commands. Successful exploitation can lead to full compromise of the affected appliance, enabling data exfiltration, service disruption, or further lateral movement within the network.

Affected Systems

The vulnerability affects Dell PowerProtect Data Domain appliances running DD OS Feature Release versions 7.7.1.0 through 8.5, LTS2025 release versions 8.3.1.0 through 8.3.1.10, and LTS2024 release versions 7.13.1.0 through 7.13.1.40. These cover a broad range of deployment sizes in enterprise backup environments.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score is currently unavailable, so the exploitation probability cannot be quantified at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits yet. The likely attack vector is through remote management interfaces, where a privileged attacker could inject and execute shell commands.

Generated by OpenCVE AI on April 20, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell PowerProtect Data Domain OS patch released in DSA‑2026‑060 to all affected Feature Release, LTS2025, and LTS2024 versions.
  • If a patch is not available for a specific version, plan an upgrade to a newer DD OS release that does not contain this flaw.
  • Restrict remote management traffic to trusted networks and enforce strong authentication so that only authorized personnel can access privileged interfaces.

Generated by OpenCVE AI on April 20, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Dell data Domain Operating System
Dell powerprotect Dp Series Appliance
CPEs cpe:2.3:a:dell:powerprotect_dp_series_appliance:*:*:*:*:*:*:*:*
cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*
Vendors & Products Dell data Domain Operating System
Dell powerprotect Dp Series Appliance

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in Dell PowerProtect Data Domain OS
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Data Domain Operating System Powerprotect Data Domain Powerprotect Dp Series Appliance
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-22T03:55:57.514Z

Reserved: 2026-01-16T06:05:50.872Z

Link: CVE-2026-23774

cve-icon Vulnrichment

Updated: 2026-04-20T16:18:01.123Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T16:16:41.213

Modified: 2026-04-23T15:19:08.073

Link: CVE-2026-23774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses