CVE-2026-26355 in PowerProtect Data Domaininfo

Summary

by MITRE • 07/03/2026

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special Elements used in an OS command ('OS command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to command execution.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/03/2026

The Dell PowerProtect Data Domain series presents a critical operating system command injection vulnerability that affects multiple release versions spanning from 7.7.1.0 through 8.7 and specific LTS releases including 8.6.1.0 through 8.6.1.10 and 8.3.1.0 through 8.3.1.30. This vulnerability stems from inadequate sanitization of user-supplied input within command execution contexts, creating a pathway for malicious actors to inject arbitrary operating system commands. The flaw resides in the system's failure to properly neutralize special elements that are typically used in OS command construction, making it susceptible to exploitation by attackers who can manipulate input fields that subsequently get processed into system commands.

The technical implementation of this vulnerability manifests when authenticated users with high-privilege access attempt to submit specially crafted input through various interface components that eventually get executed as operating system commands. This improper neutralization creates a direct attack surface where command injection occurs, allowing an attacker to execute arbitrary code on the underlying operating system. The attack vector requires remote access capabilities combined with elevated privileges, suggesting that the vulnerability may be exploited either through direct network access or via compromised accounts with administrative rights. According to CWE classification, this represents a classic command injection flaw categorized under CWE-78, which specifically addresses improper neutralization of special elements in OS commands.

The operational impact of this vulnerability extends beyond simple code execution, as successful exploitation could result in complete system compromise and unauthorized access to sensitive data stored within the PowerProtect Data Domain environment. An attacker could leverage this vulnerability to establish persistent backdoors, escalate privileges further, or exfiltrate critical backup data. The implications are particularly severe given that PowerProtect Data Domain systems typically store valuable organizational data and operate with elevated system permissions. This vulnerability aligns with ATT&CK technique T1059.003 for command and scripting interpreter, where adversaries use legitimate command-line interfaces to execute malicious code, potentially enabling lateral movement within the network infrastructure.

Organizations should immediately implement mitigations including patching to the latest available versions that address this vulnerability, enforcing strict input validation mechanisms, and implementing network segmentation controls to limit access to these systems. Access controls should be reviewed and strengthened to ensure only authorized personnel can reach administrative interfaces, while monitoring systems should be enhanced to detect anomalous command execution patterns. The remediation process must include comprehensive testing of patched environments to ensure that the vulnerability is fully resolved without introducing regressions in system functionality. Security teams should also conduct thorough audits of existing access controls and privilege assignments to reduce the attack surface for potential exploitation attempts.

Responsible

Dell

Reservation

02/13/2026

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

EPSS

0.01052

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!