Description
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special elements used in an OS command ('OS command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
Published: 2026-07-03
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dell PowerProtect Data Domain suffers from an OS command injection flaw, where special elements used in operating system commands are not properly neutralized. An attacker who already has high privileged local access can exploit this weakness to execute arbitrary commands on the host. The flaw maps to CWE-78 and can lead to full compromise of the integrity and confidentiality of the affected system.

Affected Systems

Affected models include Dell PowerProtect Data Domain versions 7.7.1.0 through 8.6, with the LTS2026 release series covering 8.6.1.0 to 8.6.1.10, the LTS2025 series from 8.3.1.0 to 8.3.1.30, and the LTS2024 series ranging from 7.13.1.0 to 7.13.1.70. All listed builds expose the injection vulnerability when local high privileged users interact with the system.

Risk and Exploitability

The vulnerability has a CVSS score of 6.7, indicating a medium severity risk. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting it has not yet been observed in the wild as a known exploit. Nonetheless, the need for high privileged local access means that insiders or compromised accounts pose a realistic threat. Once exploited, an attacker could execute commands, potentially leading to full system compromise or data exfiltration. The absence of widespread public exploits means organizations should treat this as a credible risk while monitoring for any new evidence of malicious activity.

Generated by OpenCVE AI on July 3, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell PowerProtect Data Domain security update released in DSA‑2026‑278 for the affected release series.
  • Restrict local high privileged access to a minimal set of trusted administrators and disable unused privileged accounts.
  • Enable and monitor audit logs for elevated command execution to detect suspicious activity.

Generated by OpenCVE AI on July 3, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 21:00:00 +0000

Type Values Removed Values Added
Title Local OS Command Injection in Dell PowerProtect Data Domain

Fri, 03 Jul 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerprotect Data Domain
Vendors & Products Dell
Dell powerprotect Data Domain

Fri, 03 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
Description Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special elements used in an OS command ('OS command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Dell Powerprotect Data Domain
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-07-03T12:34:43.239Z

Reserved: 2026-06-15T17:49:28.560Z

Link: CVE-2026-54483

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T20:45:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')