{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24506", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-01-23T06:07:21.818Z", "datePublished": "2026-04-20T16:22:37.689Z", "dateUpdated": "2026-04-20T16:22:37.689Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-20T16:22:37.689Z"}, "datePublic": "2026-04-15T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "affected": [{"vendor": "Dell", "product": "PowerProtect Data Domain", "versions": [{"status": "affected", "version": "0", "lessThan": "8.6.1.10, 8.7.0.0 or later", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "8.3.1.30 or later", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "7.13.1.70 or later", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "2.7.9 with DD OS 8.3.1.30", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution as root.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution as root."}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Dell would like to thank zzcentury from Ubisectech Sirius Team for reporting these issues.", "type": "sponsor"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution as root."}], "id": "CVE-2026-24506", "lastModified": "2026-04-20T17:16:32.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-04-20T17:16:32.050", "references": [{"source": "security_alert@emc.com", "url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T17:18:03.873806+00:00", "value": {"mitigation_remediation": ["Apply the Dell PowerProtect Data Domain security patch released in the Dell Security Advisory 2026-060.", "Upgrade the appliance to a non\u2011affected version, such as 8.7 or later, or the latest LTS2025/LTS2024 patch level.", "Restrict remote privileged access to the appliance through network segmentation, bastion hosts, and least\u2011privilege policies."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution (root)"}, "threat_synthesis": {"affected_systems": "Dell PowerProtect Data Domain appliances running versions 7.7.1.0 through 8.6, the LTS2025 release series 8.3.1.0 through 8.3.1.20, and the LTS2024 release series 7.13.1.0 through 7.13.1.60 are affected.", "description_and_impact": "A high\u2011privileged attacker with remote access can exploit a command injection flaw in Dell PowerProtect Data Domain. The weakness, classified as CWE\u201178, allows arbitrary shell commands to be executed with root privileges, potentially compromising the entire appliance and any data it protects. It can be leveraged to gain full control over the system, exfiltrate data, or pivot to other parts of the infrastructure.", "risk_and_exploitability": "The vulnerability scores a CVSS of 7.2, indicating high severity. EPSS information is currently unavailable, and it is not listed in the CISA KEV catalog. Exploitation requires remote high\u2011privileged access; the attack vector is inferred from the description, as the official advisory specifies remote exploitation by a privileged attacker."}}}}, "created": "2026-04-20T17:30:12.647788+00:00", "title": "OS Command Injection in Dell PowerProtect Data Domain Enables Arbitrary Root Execution", "updated": "2026-04-20T17:30:12.647843+00:00", "vendors": []}