Skip to main content

PowerProtect Data Domain CVE-2026-53481

| EUVDEUVD-2026-42038 CRITICAL
Path Traversal (CWE-22)
2026-07-07 dell GHSA-jc2f-55p8-6hmw
9.8
CVSS 3.1 · Vendor: dell
Share

Severity by source

Vendor (dell) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Dell describes unauthenticated remote path traversal escalating to complete system control, supporting AV:N/AC:L/PR:N/UI:N with full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorVendor: dell

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 14:01 EUVD
Analysis Generated
Jul 07, 2026 - 13:38 vuln.today

DescriptionCVE.org

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to the system. This is a critical severity vulnerability as it allows an attacker to take complete control of system; so Dell recommends customers to upgrade at the earliest opportunity.

AnalysisAI

Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Data Domain network service
Delivery
Send request with '../' traversal payload
Exploit
Escape restricted directory to sensitive files
Execution
Leverage access to gain control
Impact
Take complete control of appliance

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the affected Dell PowerProtect Data Domain service on a vulnerable DD OS build (mainline 7.7.1.0-8.7, LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, or LTS2024 7.13.1.0-7.13.1.70). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals align toward genuine high priority: CVSS 9.8 with a fully remote, low-complexity, unauthenticated, no-interaction vector (AV:N/AC:L/PR:N/UI:N) and full C/I/A impact, reinforced by Dell's own statement that an attacker can take 'complete control of system' and its urgent upgrade recommendation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a PowerProtect Data Domain appliance's network-exposed service crafts a request containing directory-traversal sequences to read or write files outside the intended directory, and - because the vector is unauthenticated, low-complexity, and remote (AV:N/AC:L/PR:N) - needs no credentials or user interaction. By leveraging the traversal to access sensitive files or configuration, the attacker escalates to full control of the appliance as Dell describes, potentially compromising or destroying the backups it protects. …
Remediation Patch available per vendor advisory - Dell DSA-2026-278 instructs customers to upgrade DD OS to the fixed release for their branch at the earliest opportunity; the input does not enumerate exact fixed build numbers, so consult DSA-2026-278 (https://www.dell.com/support/kbdoc/en-us/000481268/dsa-2026-278-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities) to select the correct fixed version for your mainline, LTS2026, LTS2025, or LTS2024 track before applying it during a maintenance window. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all PowerProtect DD OS systems within the affected version ranges; apply firewall rules restricting network access to these systems to trusted administrative networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-53483 CRITICAL
9.8 Jul 07

Improper authentication in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and L

CVE-2025-29987 HIGH
8.8 Apr 03

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficie

CVE-2023-44285 HIGH
7.8 Dec 14

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access con

CVE-2023-44277 HIGH
7.8 Dec 14

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injectio

CVE-2026-53479 HIGH
7.2 Jul 07

OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2

CVE-2026-49814 HIGH
7.2 Jul 03

Arbitrary OS command execution in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025

CVE-2026-53478 HIGH
7.2 Jul 03

Authenticated OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-

CVE-2026-49815 HIGH
7.2 Jul 03

OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2

CVE-2023-48667 HIGH
7.2 Dec 14

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injectio

CVE-2026-49813 MEDIUM
6.7 Jul 03

OS command injection in Dell PowerProtect Data Domain across four supported release tracks allows a high-privileged loca

CVE-2023-44279 MEDIUM
6.7 Dec 14

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injecti

CVE-2023-44278 MEDIUM
6.7 Dec 14

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a path traversal vuln

Share

CVE-2026-53481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy