Description
Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper privilege management vulnerability.
A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges to access unauthorized delete operation.
Published: 2026-04-20
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper privilege management vulnerability exists in Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60. A high‑privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges and access to unauthorized delete operations. The vulnerability is categorized as a CWE‑269 (Access Control).

Affected Systems

The vulnerability affects Dell PowerProtect Data Domain appliances running firmware versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.60.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of < 1% shows low exploitation probability. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no widespread exploitation yet. A local attacker who has high‑privileged access on the appliance could exploit the flaw by elevating privileges to perform unauthorized delete operations. Because the attack requires local high‑privilege conditions, it is less likely to be leveraged remotely, but within a compromised environment the risk remains significant.

Generated by OpenCVE AI on May 11, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Dell PowerProtect Data Domain firmware update released in Dell Security Advisory 2026‑060, which addresses the IDRAC privilege escalation flaw.
  • Upgrade the IDRAC firmware component to the latest version published by Dell.
  • Reboot the appliance to ensure the firmware changes take effect.
  • Restrict local IDRAC access and enforce least‑privilege policies for local user accounts to reduce the attack surface.

Generated by OpenCVE AI on May 11, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 09:45:00 +0000

Type Values Removed Values Added
Title IDRAC Privilege Escalation via Improper Access Control

Mon, 11 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper privilege management vulnerability in IDRAC. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges to access unauthorized delete operation in IDRAC. Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper privilege management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges to access unauthorized delete operation.

Tue, 28 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Dell data Domain Operating System
CPEs cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*
Vendors & Products Dell data Domain Operating System

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Mon, 20 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Title IDRAC Privilege Escalation via Improper Access Control

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper privilege management vulnerability in IDRAC. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges to access unauthorized delete operation in IDRAC.
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Dell Data Domain Operating System Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-05-11T08:27:52.270Z

Reserved: 2026-04-01T17:04:27.475Z

Link: CVE-2026-35154

cve-icon Vulnrichment

Updated: 2026-04-20T18:08:38.657Z

cve-icon NVD

Status : Modified

Published: 2026-04-20T17:16:34.263

Modified: 2026-05-11T09:16:25.753

Link: CVE-2026-35154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T09:30:33Z

Weaknesses