Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Network-accessible management interface requires high-privilege credentials; no confidentiality impact described; full integrity and availability loss on the appliance matches OS command injection with admin-level execution.
Primary rating from Vendor (emc).
CVSS VectorVendor: emc
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special Elements used in an OS command ('OS command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to command execution.
AnalysisAI
OS command injection in Dell PowerProtect Data Domain across four version release trains allows a high-privileged remote attacker to execute arbitrary operating system commands on the appliance. Affected products span mainline versions 7.7.1.0 through 8.7 and three LTS branches, confirmed by Dell Security Advisory DSA-2026-278. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a high-privileged (administrative) account with remote network access to the Dell PowerProtect Data Domain management interface, as confirmed by the CVSS vector (AV:N/PR:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.5 (Medium) accurately reflects the PR:H gate - exploitation is strictly limited to high-privileged accounts with remote network access, substantially constraining the realistic attacker population to insiders, credential-compromise scenarios, or lateral movement from an already-privileged management host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained high-privileged Data Domain administrator credentials - through phishing, credential stuffing against the management interface, or lateral movement from a compromised management workstation - authenticates remotely and submits a crafted request containing shell metacharacters to a vulnerable management function. The appliance passes the unsanitized input to a system shell call, executing the attacker's injected OS commands with the privileges of the management process. … |
| Remediation | Administrators should apply the patched versions specified in Dell Security Advisory DSA-2026-278 (https://www.dell.com/support/kbdoc/en-us/000481268/dsa-2026-278-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities) for their applicable release stream - exact fix versions are not independently confirmed from the available intelligence data and must be obtained directly from the advisory, which covers multiple vulnerabilities in this release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Data Domain Operating System
View allDell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficie
Improper authorization enforcement in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.6, plus LTS branches 8.6
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain an OS command injection v
Dell PowerProtect DD, version(s) 8.0, 7.13.1.0, 7.10.1.30, 7.7.5.40, contain(s) an Out-of-bounds Write vulnerability. Ra
Denial of service in Dell PowerProtect Data Domain (DDOS versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-8.6.1.10, LT
Dell PowerProtect Data Domain, versions prior to 8.1.0.0, 7.13.1.10, 7.10.1.40, and 7.7.5.50, contains an escalation of
Dell PowerProtect DD, versions prior to 8.1.0.0, 7.13.1.10, 7.10.1.40, and 7.7.5.50, contains an access control vulnerab
Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS20
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path t
OS command injection in Dell PowerProtect Data Domain enables a high-privileged local attacker to execute arbitrary oper
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.
Dell PowerProtect DD, versions prior to 7.7.5.50, contains an Exposure of Sensitive Information to an Unauthorized Actor
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41537
GHSA-fh65-mw6q-c8vh