Description
Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Published: 2026-04-20
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is an OS command injection caused by improper neutralization of special elements. A high privileged attacker who can reach the system remotely could force the appliance to execute arbitrary commands with root privileges, compromising confidentiality, integrity, and availability on the entire appliance.

Affected Systems

Dell PowerProtect Data Domain appliances running firmware versions 8.5 through 8.6 are affected.

Risk and Exploitability

The CVSS base score of 6.7 indicates moderate severity. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires remote access with privileged credentials, suggesting the attack vector is remote and privileged. The impact was limited to system administrators who can already reach the appliance.

Generated by OpenCVE AI on April 20, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Dell PowerProtect Data Domain security update DSA-2026-060 for affected firmware versions.
  • After applying the patch, tighten network access controls so that only trusted administrators can reach the appliance over the network.
  • If the patch cannot be applied immediately, restrict the exposed service to a single trusted IP range or temporarily disable the feature that allows OS command execution until the update is available.

Generated by OpenCVE AI on April 20, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection Allowing Root Privilege Escalation in Dell PowerProtect Data Domain
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-20T16:34:43.219Z

Reserved: 2026-02-16T18:04:20.508Z

Link: CVE-2026-26942

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T17:16:32.657

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-26942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses