Description
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution as root.
Published: 2026-04-20
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: Remote Command Execution (root)
Action: Immediate Patch
AI Analysis

Impact

A high‑privileged attacker with remote access can exploit a command injection flaw in Dell PowerProtect Data Domain. The weakness, classified as CWE‑78, allows arbitrary shell commands to be executed with root privileges, potentially compromising the entire appliance and any data it protects. It can be leveraged to gain full control over the system, exfiltrate data, or pivot to other parts of the infrastructure.

Affected Systems

Dell PowerProtect Data Domain appliances running versions 7.7.1.0 through 8.6, the LTS2025 release series 8.3.1.0 through 8.3.1.20, and the LTS2024 release series 7.13.1.0 through 7.13.1.60 are affected.

Risk and Exploitability

The vulnerability scores a CVSS of 7.2, indicating high severity. EPSS information is currently unavailable, and it is not listed in the CISA KEV catalog. Exploitation requires remote high‑privileged access; the attack vector is inferred from the description, as the official advisory specifies remote exploitation by a privileged attacker.

Generated by OpenCVE AI on April 20, 2026 at 17:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell PowerProtect Data Domain security patch released in the Dell Security Advisory 2026-060.
  • Upgrade the appliance to a non‑affected version, such as 8.7 or later, or the latest LTS2025/LTS2024 patch level.
  • Restrict remote privileged access to the appliance through network segmentation, bastion hosts, and least‑privilege policies.

Generated by OpenCVE AI on April 20, 2026 at 17:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Dell PowerProtect Data Domain Enables Arbitrary Root Execution

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution as root.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-20T18:09:44.869Z

Reserved: 2026-01-23T06:07:21.818Z

Link: CVE-2026-24506

cve-icon Vulnrichment

Updated: 2026-04-20T18:09:38.621Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T17:16:32.050

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-24506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses