Description
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS Command Injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Published: 2026-04-17
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Command Execution with Root Privileges
Action: Immediate Patch
AI Analysis

Impact

Dell PowerProtect Data Domain suffers from OS Command Injection due to improper neutralization of special elements in command strings. The weakness, identified as CWE‑78, allows a highly privileged attacker with local access to issue arbitrary shell commands that execute with root-level privileges, fully compromising the affected appliance.

Affected Systems

The vulnerable versions are Dell PowerProtect Data Domain 7.7.1.0 through 8.7.0.0, LTS2025 releases 8.3.1.0 through 8.3.1.20, and LTS2024 releases 7.13.1.0 through 7.13.1.60. Any appliance running these builds is susceptible until updated to a patched release.

Risk and Exploitability

The CVSS score of 6.7 indicates moderate severity, but the vulnerability requires local, highly privileged access, limiting its exploitation likelihood. EPSS information is unavailable, and the issue is not listed in the CISA KEV catalog. Because the attack needs local control, the risk is confined to environments where administrative credentials or physical access can be compromised, though a successful exploit would grant full system compromise.

Generated by OpenCVE AI on April 18, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell PowerProtect Data Domain security update DSA‑2026‑060 to upgrade to a version that fixes the command injection flaw.
  • Reduce the number of local accounts with administrative rights and enforce the principle of least privilege.
  • Physically secure the appliance and restrict physical access to prevent local attackers from gaining elevated privileges.
  • Enable and monitor audit logs for unexpected command execution or use of privileged shells, and investigate any anomalies promptly.

Generated by OpenCVE AI on April 18, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Fri, 17 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS Command Injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-18T03:55:42.483Z

Reserved: 2026-04-01T05:04:41.955Z

Link: CVE-2026-35074

cve-icon Vulnrichment

Updated: 2026-04-18T02:56:15.329Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T11:16:10.737

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-35074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses