Description
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60, contain(s) an Improper Certificate Validation vulnerability in certificate-based login. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.
Published: 2026-04-17
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an Improper Certificate Validation flaw in the certificate‑based login function of Dell PowerProtect Data Domain. When a low privileged attacker gains remote access to a system, the failure to properly validate SSL certificates can allow the attacker to spoof authentication tokens and elevate privileges on the Data Domain appliance. The weakness is aligned with CWE‑295 and could lead to full control of the affected device.

Affected Systems

Dell PowerProtect Data Domain appliances running the Data Domain Operating System Feature Release versions 7.7.1.0 through 8.5. The LTS2025 release series from version 8.3.1.0 up to 8.3.1.20 and the LTS2024 release series from 7.13.1.0 up to 7.13.1.60 are all impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates a high‑severity vulnerability. No EPSS score is available, but the possibility of exploitation remains significant due to the remote nature of the attack vector. The vulnerability is not currently listed in the CISA KEV catalog, yet the lack of immediate patching could expose systems to privilege escalation events that would compromise data integrity and confidentiality.

Generated by OpenCVE AI on April 17, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell Data Domain OS security update referenced in the Dell support article to correct the certificate validation flaw.
  • If an immediate patch is unavailable, disable or tightly restrict certificate‑based login on the affected appliances while maintaining strict CA trust enforcement.
  • Use network segmentation and firewall rules to limit remote access to the Data Domain appliances and monitor authentication logs for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Fri, 17 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Title Improper Certificate Validation in Dell PowerProtect Data Domain Enables Remote Privilege Escalation

Fri, 17 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60, contain(s) an Improper Certificate Validation vulnerability in certificate-based login. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-17T08:56:41.213Z

Reserved: 2026-01-16T06:05:50.873Z

Link: CVE-2026-23776

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T10:16:04.020

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-23776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:00:13Z

Weaknesses