Description
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for critical function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. Exploitation requires an authenticated user to perform a specific action.
Published: 2026-04-20
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from a missing authentication check on a critical function in Dell PowerProtect Data Domain, allowing an attacker to execute arbitrary commands with root privileges. An unauthenticated attacker who can reach the affected service may trigger this flaw; however, the data notes that an authenticated user must perform a specific action, implying the attack path likely requires prior access or privileged credentials.

Affected Systems

Dell PowerProtect Data Domain versions 7.7.1.0 through 8.6, LTS2025 release versions 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.60 are impacted by the missing authentication flaw that can lead to arbitrary command execution with root privileges.

Risk and Exploitability

The CVSS score of 8.8 classifies this as high severity. The EPSS score is not available, so the exact likelihood of exploitation is unknown, but because the flaw permits root‑level command execution, the potential for full system compromise warrants serious concern. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed public exploitation yet. The attack vector is inferred to be remote, requiring network access to the PowerProtect Data Domain appliance, and may necessitate an authenticated user to perform a specific action before the exploit can be successfully leveraged.

Generated by OpenCVE AI on April 21, 2026 at 00:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell PowerProtect Data Domain security update DSA‑2026‑060 from the Dell support site to address the missing authentication flaw.
  • Restrict network exposure of the appliance by permitting access only from trusted administrator networks, using firewalls or VPNs to block unsolicited remote traffic.
  • Enforce least‑privilege principles for all user accounts on the appliance, disabling unnecessary accounts and limiting privileges to the minimum required for operational tasks.

Generated by OpenCVE AI on April 21, 2026 at 00:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
Title Missing Authentication Allows Remote Root Command Execution on Dell PowerProtect Data Domain

Mon, 20 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for critical function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. Exploitation requires an authenticated user to perform a specific action.
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-20T18:02:52.279Z

Reserved: 2026-02-16T18:04:20.508Z

Link: CVE-2026-26944

cve-icon Vulnrichment

Updated: 2026-04-20T18:02:42.569Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T16:16:42.223

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-26944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses