Description
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of argument delimiters in a command ('argument injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Published: 2026-04-17
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution with Root Privileges
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of argument delimiters in a command, which allows a high privileged attacker with local access to inject arbitrary arguments into system commands. This can be exploited to execute commands with root privileges, compromising the entire system. The weakness is classified as argument injection (CWE-88).

Affected Systems

Dell PowerProtect Data Domain software versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.60 are vulnerable.

Risk and Exploitability

The CVSS score is 6.7, indicating moderate severity. EPSS is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires local high privileged access, which limits the attack surface. Nevertheless, once local root privileges are achieved, an attacker can execute arbitrary commands, making the impact significant for confidentiality, integrity and availability. Immediate patching is advised.

Generated by OpenCVE AI on April 17, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Dell PowerProtect Data Domain security update DSA-2026-060 to all affected versions.
  • Restrict local privileged accounts to reduce the opportunity for exploitation.
  • Monitor system logs for anomalous command executions and review audit trails.

Generated by OpenCVE AI on April 17, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Title Argument Injection Vulnerability in Dell PowerProtect Data Domain Allows Local Privileged Command Execution

Fri, 17 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of argument delimiters in a command ('argument injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-04-17T12:10:06.258Z

Reserved: 2026-04-01T17:04:27.475Z

Link: CVE-2026-35153

cve-icon Vulnrichment

Updated: 2026-04-17T12:09:59.553Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T11:16:10.870

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-35153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:20Z

Weaknesses