CVE-2026-49814

Dell · PowerProtect Data Domain

Dell PowerProtect Data Domain is vulnerable to OS Command Injection, allowing an authenticated administrator to execute arbitrary commands on the underlying operating system.

Executive summary

An OS Command Injection vulnerability in Dell PowerProtect Data Domain allows authenticated administrators to achieve unauthorized command execution on the host system.

Vulnerability

This vulnerability involves the improper neutralization of special elements used in OS commands. An attacker with high-level administrative privileges can leverage this flaw to inject and execute arbitrary system commands.

Business impact

With a CVSS score of 7.2, this vulnerability poses a significant risk to the integrity and availability of the storage infrastructure. While it requires administrative authentication, the ability to execute OS-level commands could allow an attacker to bypass security controls, destroy data, or pivot further into the internal network, leading to catastrophic system downtime.

Remediation

Immediate Action: Upgrade Dell PowerProtect Data Domain to the fixed versions (8.8.0.0, 8.6.1.20, 8.3.1.40, 7.13.1.80 or later) as detailed in the Dell Security Advisory (DSA-2026-278).

Proactive Monitoring: Audit administrative activity logs for anomalous shell commands or unauthorized modifications to system configurations.

Compensating Controls: Restrict administrative access to the management interface to known, trusted management workstations and enforce strict Role-Based Access Control (RBAC).

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability represents a high-risk security gap in critical storage infrastructure. It is imperative that security teams verify their current firmware version and schedule the necessary updates to the recommended versions to eliminate the command injection vector.