Description
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Published: 2026-04-17
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command execution with root privileges
Action: Patch
AI Analysis

Impact

An improper neutralization of special elements in the OS command processing of Dell PowerProtect Data Domain allows an attacker with high local privileges to inject arbitrary commands. This flaw can be used to gain unrestricted root execution on the affected system.

Affected Systems

Dell PowerProtect Data Domain versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.60 are impacted.

Risk and Exploitability

The CVSS score of 6.7 indicates a medium severity vulnerability, and the EPSS score is not available. Because the flaw requires local high-privileged access, the attack vector is inferred to be local. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation to date. Nonetheless, the potential for root-level command execution warrants prompt attention.

Generated by OpenCVE AI on April 18, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Dell PowerProtect Data Domain DSA‑2026‑060 security update from Dell support.
  • Upgrade to a patched firmware version that falls outside the affected version ranges.
  • Restart or reboot the affected services to ensure the patch is active and verify that no local accounts retain unnecessary elevated privileges.

Generated by OpenCVE AI on April 18, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in Dell PowerProtect Data Domain

Fri, 17 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-18T03:55:40.665Z

Reserved: 2026-04-01T05:04:41.955Z

Link: CVE-2026-35073

cve-icon Vulnrichment

Updated: 2026-04-17T11:26:38.363Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T11:16:10.610

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-35073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses