Impact
Dell PowerProtect Data Domain suffers from an incorrect permission assignment for a critical resource. The vulnerability, catalogued as CWE‑732, allows a high‑privileged user with local access to bypass intended security boundaries and gain unauthorized access to protected data or functions. The flaw does not enable remote code execution but permits escalation within the local environment, potentially exposing sensitive information or allowing further lateral movement.
Affected Systems
Affected are Dell PowerProtect Data Domain releases 7.7.1.0 through 8.6, including LTS2026 version 8.6.1.0 to 8.6.1.10, LTS2025 version 8.3.1.0 to 8.3.1.30, and LTS2024 version 7.13.1.0 to 7.13.1.70. Any instance running these firmware versions with local privileged accounts is vulnerable.
Risk and Exploitability
The CVSS score of 4.4 indicates a moderate overall risk, and the EPSS score is not available, suggesting limited publicly known exploit activity. The vulnerability is not listed in CISA's KEV catalog. The attack surface is local; an attacker must first gain local administrative privileges on the storage appliance to exploit the incorrect permission assignment. Successful exploitation results in unauthorized data access rather than full system compromise.
OpenCVE Enrichment