Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable management interface (AV:N) exploitable at low complexity by an existing low-privileged account (PR:L), yielding full authorization bypass with high C/I/A on the appliance.
Primary rating from Vendor (emc).
CVSS VectorVendor: emc
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Incorrect Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.
AnalysisAI
Improper authorization enforcement in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.6, plus LTS branches 8.6.1.0-8.6.1.10, 8.3.1.0-8.3.1.30, and 7.13.1.0-7.13.1.70) allows a low-privileged, remote authenticated attacker to reach resources or actions beyond their assigned role, resulting in unauthorized access. Rated CVSS 8.8 (High) with high confidentiality, integrity, and availability impact and low attack complexity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to a Dell PowerProtect Data Domain management interface AND a valid low-privileged authenticated session (CVSS PR:L) on an affected DD OS build (mainline 7.7.1.0-8.6, LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, or LTS2024 7.13.1.0-7.13.1.70); no user interaction and no high privileges are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates network-reachable, low-complexity exploitation that requires an existing low-privileged account and no user interaction, with full high impact to confidentiality, integrity, and availability on the appliance itself (scope unchanged). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been issued a low-privileged Data Domain account (for example a monitoring or operator role, or a reused/leaked credential) connects to the reachable management interface over the network. Leveraging the incorrect authorization check, they invoke administrative functionality or access backup data that their role should not permit, gaining unauthorized read/write control over the appliance. … |
| Remediation | Patch available per vendor advisory (Dell DSA-2026-278); apply the fixed DD OS release for your specific branch as listed in that advisory (https://www.dell.com/support/kbdoc/en-us/000481268/dsa-2026-278-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities) - the input does not enumerate an exact fixed build per branch, so use the advisory to map your running version (mainline 7.7.1.0-8.6, LTS2026 8.6.1.x, LTS2025 8.3.1.x, or LTS2024 7.13.1.x) to its patched release rather than assuming a version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all PowerProtect Data Domain appliances; identify instances running versions 7.7.1.0-8.6, 7.13.1.0-7.13.1.70, 8.3.1.0-8.3.1.30, or 8.6.1.0-8.6.1.10; and classify by criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Data Domain Operating System
View allDell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficie
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain an OS command injection v
Dell PowerProtect DD, version(s) 8.0, 7.13.1.0, 7.10.1.30, 7.7.5.40, contain(s) an Out-of-bounds Write vulnerability. Ra
Denial of service in Dell PowerProtect Data Domain (DDOS versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-8.6.1.10, LT
Dell PowerProtect Data Domain, versions prior to 8.1.0.0, 7.13.1.10, 7.10.1.40, and 7.7.5.50, contains an escalation of
Dell PowerProtect DD, versions prior to 8.1.0.0, 7.13.1.10, 7.10.1.40, and 7.7.5.50, contains an access control vulnerab
Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS20
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path t
OS command injection in Dell PowerProtect Data Domain enables a high-privileged local attacker to execute arbitrary oper
OS command injection in Dell PowerProtect Data Domain across four version release trains allows a high-privileged remote
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.
Dell PowerProtect DD, versions prior to 7.7.5.50, contains an Exposure of Sensitive Information to an Unauthorized Actor
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42240
GHSA-gc2x-3r66-52fv