Description
Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Published: 2026-04-20
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is an OS command injection caused by improper neutralization of special elements. A high privileged attacker who can reach the system remotely could force the appliance to execute arbitrary commands with root privileges, compromising confidentiality, integrity, and availability on the entire appliance.

Affected Systems

Dell PowerProtect Data Domain appliances running firmware versions 8.5 through 8.6 are affected.

Risk and Exploitability

The CVSS base score of 6.7 indicates moderate severity. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires remote access with privileged credentials, suggesting the attack vector is remote and privileged. The impact was limited to system administrators who can already reach the appliance.

Generated by OpenCVE AI on April 20, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Dell PowerProtect Data Domain security update DSA-2026-060 for affected firmware versions.
  • After applying the patch, tighten network access controls so that only trusted administrators can reach the appliance over the network.
  • If the patch cannot be applied immediately, restrict the exposed service to a single trusted IP range or temporarily disable the feature that allows OS command execution until the update is available.

Generated by OpenCVE AI on April 20, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell data Domain Operating System
Dell powerprotect Dp Series Appliance
CPEs cpe:2.3:a:dell:powerprotect_dp_series_appliance:*:*:*:*:*:*:*:*
cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*
Vendors & Products Dell data Domain Operating System
Dell powerprotect Dp Series Appliance

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection Allowing Root Privilege Escalation in Dell PowerProtect Data Domain
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Data Domain Operating System Powerprotect Data Domain Powerprotect Dp Series Appliance
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-22T03:56:05.261Z

Reserved: 2026-02-16T18:04:20.508Z

Link: CVE-2026-26942

cve-icon Vulnrichment

Updated: 2026-04-21T13:29:58.965Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T17:16:32.657

Modified: 2026-04-28T21:04:13.400

Link: CVE-2026-26942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses