Introduction
A root level OS command injection in Dell PowerProtect Data Domain means that any attacker who has already obtained high privilege administrative access to the appliance can escalate to full root command execution remotely, with no user interaction required. For organizations that rely on Data Domain as the backbone of their backup and disaster recovery strategy, this vulnerability puts the last line of defense against ransomware and data loss directly at risk.
Dell PowerProtect Data Domain is a widely deployed enterprise backup and deduplication storage platform. It serves as a core component for backup, archive, and disaster recovery operations across large enterprises, and the platform includes physical appliances, virtual editions, and cloud integrated offerings such as Dell APEX Protection Storage. Its role in ransomware recovery workflows makes it a particularly sensitive target in any enterprise environment.
Technical Information
CVE-2026-26943 is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection). The root cause is insufficient sanitization of input that is eventually passed to an operating system command execution context within the Data Domain OS. While Dell has not disclosed the specific input surface or API endpoint involved, the CVSS vector string tells us a great deal about the nature of the flaw.
The full CVSS 3.1 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 7.2. Breaking this down:
- Attack Vector (Network): The vulnerability is reachable over the network. This is consistent with Data Domain's management interfaces, which are typically exposed via SSH, REST APIs, or web based administration consoles.
- Attack Complexity (Low): No special conditions, race windows, or non default configurations are required. Once the attacker has the right access, exploitation is straightforward.
- Privileges Required (High): The attacker must possess high level administrative credentials on the Data Domain system. This is the primary barrier to exploitation.
- User Interaction (None): No legitimate user needs to click a link or perform any action.
- Scope (Unchanged): The impact is confined to the vulnerable component itself, though given that the component is the entire Data Domain OS, this still means full system compromise.
- Impact (High across all three dimensions): Successful exploitation grants arbitrary command execution as root, meaning complete control over the appliance's data, configuration, and availability.
Chaining Risk with CVE-2026-26944
The same Dell advisory, DSA-2026-060, also addresses CVE-2026-26944, a missing authentication for critical function vulnerability scored at CVSS 8.8. This adjacent flaw requires no authentication but does require user interaction. The combination of these two vulnerabilities is worth careful attention from defenders:
| Vulnerability ID | Type | CVSS Score | Authentication Required | User Interaction | Impact |
|---|---|---|---|---|---|
| CVE-2026-26943 | OS Command Injection | 7.2 | High Privileges | None | Root Command Execution |
| CVE-2026-26944 | Missing Authentication | 8.8 | None | Required | Root Command Execution |
An attacker could potentially use CVE-2026-26944 to bypass the high privilege requirement of CVE-2026-26943. If an unauthenticated attacker can trick an authenticated administrator into performing a specific action (for example, visiting a crafted URL or interacting with a malicious request), they could leverage the missing authentication flaw to gain the foothold needed for command injection. Defenders should treat these as a combined threat package rather than evaluating each in isolation.
Attack Flow
Based on the available technical details, a plausible exploitation flow would proceed as follows:
- The attacker identifies a network reachable Dell PowerProtect Data Domain management interface.
- Using compromised or obtained high privilege administrative credentials, the attacker authenticates to the management interface.
- The attacker submits crafted input containing OS command injection payloads through the vulnerable input surface.
- Due to insufficient input sanitization, the injected commands are passed to an OS level execution context.
- The commands execute with root privileges on the underlying Data Domain OS, granting the attacker full control over the appliance.
Alternatively, if chaining with CVE-2026-26944, the attacker could bypass the authentication requirement entirely by exploiting the missing authentication flaw first, then pivoting to the command injection.
Affected Systems and Versions
The vulnerability affects the following Dell PowerProtect Data Domain product families and version ranges:
DD OS Mainline:
- Versions 7.7.1.0 through 8.6
DD OS LTS2025:
- Versions 8.3.1.0 through 8.3.1.20
DD OS LTS2024:
- Versions 7.13.1.0 through 7.13.1.60
Data Domain Management Center:
- Versions before 2.7.9 with DD OS 8.3.1.30
The affected product families include:
- Dell PowerProtect Data Domain series appliances
- Data Domain Virtual Edition
- Dell APEX Protection Storage
- Data Domain Management Center
Remediated versions are as follows:
| Product Track | Affected Versions | Remediated Version |
|---|---|---|
| DD OS Mainline | 7.7.1.0 through 8.6 | 8.6.1.10 or 8.7.0.0 or later |
| DD OS LTS2025 | 8.3.1.0 through 8.3.1.20 | 8.3.1.30 or later |
| DD OS LTS2024 | 7.13.1.0 through 7.13.1.60 | 7.13.1.70 or later |
| Data Domain Management Center | Before 2.7.9 with DD OS 8.3.1.30 | 2.7.9 with DD OS 8.3.1.30 |
