Description
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command ('OS command injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Published: 2026-04-17
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution with System Privileges
Action: Immediate Patch
AI Analysis

Impact

An improper neutralization of special elements used in an OS command, identified as a command injection flaw (CWE‑78), allows a high privileged attacker with local access to execute arbitrary commands with root privileges on Dell PowerProtect Data Domain systems.

Affected Systems

Dell PowerProtect Data Domain products are affected in all versions ranging from 7.7.1.0 to 8.7.0.0, as well as the LTS2025 release versions 8.3.1.0 through 8.3.1.20 and the LTS2024 release versions 7.13.1.0 through 7.13.1.60.

Risk and Exploitability

The CVSS score of 6.7 indicates a high overall severity for this vulnerability. The EPSS score is not available, and the issue is not listed in the CISA KEV database, suggesting limited current exploitation evidence. The likely attack vector is local; a user who gains high privileged access can exploit the command injection to run arbitrary commands as root, potentially compromising the entire system and its stored data. Given the root-level impact, the risk is moderate to high, especially in environments where local administrators may be compromised or during maintenance windows.

Generated by OpenCVE AI on April 18, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell OS command injection patch available in the DSA‑2026‑060 security update for PowerProtect Data Domain
  • Restrict local administrative privileges to the minimum required and enforce least privilege for all users
  • Enable audit logging for executed commands and monitor for unauthorized root-level activity

Generated by OpenCVE AI on April 18, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Dell PowerProtect Data Domain

Fri, 17 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Fri, 17 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command ('OS command injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-18T03:55:38.963Z

Reserved: 2026-04-01T05:04:41.954Z

Link: CVE-2026-35072

cve-icon Vulnrichment

Updated: 2026-04-17T16:37:23.875Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T11:16:10.090

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-35072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses