Impact
Dell PowerProtect Data Domain suffers from an OS command injection flaw, where special elements used in operating system commands are not properly neutralized. An attacker who already has high privileged local access can exploit this weakness to execute arbitrary commands on the host. The flaw maps to CWE-78 and can lead to full compromise of the integrity and confidentiality of the affected system.
Affected Systems
Affected models include Dell PowerProtect Data Domain versions 7.7.1.0 through 8.6, with the LTS2026 release series covering 8.6.1.0 to 8.6.1.10, the LTS2025 series from 8.3.1.0 to 8.3.1.30, and the LTS2024 series ranging from 7.13.1.0 to 7.13.1.70. All listed builds expose the injection vulnerability when local high privileged users interact with the system.
Risk and Exploitability
The vulnerability has a CVSS score of 6.7, indicating a medium severity risk. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting it has not yet been observed in the wild as a known exploit. Nonetheless, the need for high privileged local access means that insiders or compromised accounts pose a realistic threat. Once exploited, an attacker could execute commands, potentially leading to full system compromise or data exfiltration. The absence of widespread public exploits means organizations should treat this as a credible risk while monitoring for any new evidence of malicious activity.
OpenCVE Enrichment