CVE-2026-41124 in PowerProtect Data Domaininfo

Summary

by MITRE • 07/03/2026

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Improper limitation of a pathname to a restricted directory ('path traversal') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability exists within Dell PowerProtect Data Domain systems across multiple release versions including 7.7.1.0 through 8.6, LTS2026 versions 8.6.1.0 through 8.6.1.10, LTS2025 versions 8.3.1.0 through 8.3.1.30, and LTS2024 versions 7.13.1.0 through 7.13.1.70. The core flaw represents an improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal vulnerability. This weakness allows an attacker to access files and directories outside the intended scope by manipulating file path references. The vulnerability specifically affects systems where local privileged access is required for exploitation, making it a local privilege escalation issue rather than a remote attack vector.

The technical implementation of this path traversal flaw stems from insufficient input validation and inadequate sanitization of file path parameters within the Data Domain system's file handling mechanisms. When legitimate users or processes attempt to access files through the system's interfaces, the application fails to properly restrict or validate path components that could contain directory traversal sequences such as "../" or similar constructs. This allows an attacker with high privileged local access to navigate beyond the intended file system boundaries and potentially read sensitive information stored in restricted directories. The vulnerability falls under CWE-22 - Improper Limitation of a Pathname to a Restricted Directory, which is categorized as a weakness that enables unauthorized access to resources outside the intended scope.

The operational impact of this vulnerability extends significantly in environments where Dell PowerProtect Data Domain systems store sensitive backup data, configuration files, and system credentials. Information exposure resulting from successful exploitation could include access to backup repository contents, system configuration files containing sensitive settings, authentication tokens, or other confidential data stored within restricted directories. Given that the vulnerability requires high privileged local access, it primarily affects scenarios where an attacker has already compromised system credentials or gained administrative access through other means. The exposure of such information could lead to further compromise of backup infrastructure, potential data leakage, and disruption of critical backup operations that organizations rely upon for disaster recovery.

Organizations should implement immediate mitigations including applying the latest security patches released by Dell to address this path traversal vulnerability. System administrators must ensure proper access controls are enforced through principle of least privilege, limiting local administrative access to only essential personnel. Network segmentation and monitoring should be enhanced to detect unusual file access patterns that might indicate exploitation attempts. The implementation of file system permissions and access control lists should be reviewed to ensure that sensitive directories are properly restricted and that directory traversal sequences are properly sanitized in all input validation processes. Additionally, security monitoring solutions should be configured to detect potential path traversal attempts within system logs and audit trails. This vulnerability aligns with ATT&CK technique T1074.001 - Data Staged, where adversaries stage data for exfiltration through unauthorized access to restricted directories. Organizations should also consider implementing automated vulnerability scanning processes to identify similar path traversal issues in other system components and ensure proper input validation across all file handling operations within their backup infrastructure environments.

Responsible

Dell

Reservation

04/17/2026

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!