Description
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability to gain root-level access.
Published: 2026-04-17
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

A command injection flaw in Dell PowerProtect Data Domain allows a local attacker with high privileges to issue arbitrary shell commands, potentially escalating to full root access on the device. The vulnerability can be exploited directly from the console or via services that run with elevated rights, enabling the attacker to read, modify, or delete data, and to compromise the integrity and availability of the system.

Affected Systems

Dell PowerProtect Data Domain, Data Domain Operating System (DD OS) versions 7.7.1.0 through 8.5, LTS2025 release 8.3.1.0 through 8.3.1.20, and LTS2024 release 7.13.1.0 through 7.13.1.50 are affected.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity vulnerability. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog, suggesting limited public exploitation at this time. The likely attack vector is local and requires a high-privileged user; therefore, the risk is significant for systems that could be accessed locally by malicious actors or compromised administrators.

Generated by OpenCVE AI on April 17, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Dell DSA‑2026‑060 security update for PowerProtect Data Domain on all affected devices.
  • Limit local console and SSH access to trusted administrators only and enforce strict network segmentation around the storage systems.
  • Regularly audit access controls and logs for unauthorized local activity to detect potential exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Fri, 17 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Title Command Injection Allowing Local Privileged Root Access

Fri, 17 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability to gain root-level access.
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-17T14:08:36.395Z

Reserved: 2026-01-16T06:05:50.873Z

Link: CVE-2026-23779

cve-icon Vulnrichment

Updated: 2026-04-17T14:08:24.382Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T10:16:05.017

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-23779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:11Z

Weaknesses