Description
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to gain root-level access.
Published: 2026-04-17
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Root-level Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection flaw in Dell PowerProtect Data Domain allows a highly privileged attacker who already has remote access to execute arbitrary operating system commands. The vulnerability, classified as CWE-77, can give the attacker full root privileges, leading to complete compromise of the appliance’s confidentiality, integrity, and availability.

Affected Systems

Dell PowerProtect Data Domain devices running Data Domain Operating System (DD OS) Feature Release versions 7.7.1.0 through 8.5, LTS2025 release versions 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.50 are affected. Only these specific versions are listed; newer releases are not known to be impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity flaw. No EPSS score is supplied, and the vulnerability is not listed in the CISA KEV catalog, though the lack of an EPSS value does not guarantee rarity of exploitation. The attack likely requires remote network exposure and upper‑privilege access, making it most relevant to untrusted or compromised users who can reach the appliance. If exploited, the attacker can gain root access, modify or delete data, and potentially pivot to other network assets.

Generated by OpenCVE AI on April 17, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell security update listed in KB 000450699 to patch all affected DD OS versions.
  • Restrict network access to the PowerProtect Data Domain appliance by limiting connectivity to trusted networks or enforcing strong authentication for remote management.
  • Disable or remove any unnecessary services that provide remote command capability and enforce strict access controls to reduce the attack surface.

Generated by OpenCVE AI on April 17, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Fri, 17 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Title Command Injection Allowing Root Access on Dell PowerProtect Data Domain

Fri, 17 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to gain root-level access.
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-17T08:33:21.569Z

Reserved: 2026-01-16T06:05:50.873Z

Link: CVE-2026-23778

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T09:16:05.300

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-23778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:00:13Z

Weaknesses