Dell Patches Root-Level Vulnerabilities in PowerProtect Data Domain
Take action: Make sure your Dell PowerProtect Data Domain appliances are isolated from the internet and accessible only from trusted management networks. Then plan a quick update DD OS to version 7.13.1.70, 8.3.1.30, 8.6.1.10, 8.7.0.1, or later (depending on your branch) via the Data Domain Download portal.
Learn More
Dell has released security updates addressing a large collection of vulnerabilities in its PowerProtect Data Domain product line, which is widely deployed to protect data across on-premises and multi-cloud environments.
Vulnerabilities summary:
- CVE-2026-26944 (CVSS score 8.8) - Missing authentication for a critical function, enabling remote arbitrary command execution with root privileges.
- CVE-2026-23853 (CVSS score 8.4) - Use of weak credentials allowing local unauthorized access.
- CVE-2025-36568 (CVSS score 7.8) - Insufficiently protected credentials in BoostFS client, leading to credential exposure.
- CVE-2026-23775 (CVSS score 7.6) - Insertion of sensitive information into log files, resulting in credential exposure on systems with retention lock enabled.
- CVE-2026-23774, CVE-2026-24504, CVE-2026-24505, CVE-2026-24506, CVE-2026-26943, CVE-2026-23778 (CVSS score 7.2 each) - OS command injection and improper input validation flaws that enable high-privileged remote attackers to execute arbitrary commands as root.
- CVE-2026-23776 (CVSS score 7.2) - Improper certificate validation in certificate-based login, leading to elevation of privileges.
Beyond these issues, Dell has also remediated a large set of third-party component vulnerabilities bundled with the product. These include a denial-of-service flaw in Apache Commons FileUpload (CVE-2025-48976) that can crash services, a memory-corruption issue in SQLite (CVE-2025-6965) that could allow malicious code execution, flaws in OpenSSL (CVE-2024-9143), multiple issues in libssh, libxml2, Python, PostgreSQL, linux-pam, and a significant number of Linux kernel vulnerabilities. Additional medium-severity issues addressed include cross-site scripting (CVE-2026-28263), session fixation (CVE-2025-46605), improper restriction of excessive authentication attempts (CVE-2025-46606), and improper authentication flaws (CVE-2025-46607, CVE-2025-46641) in specific DD OS feature-release versions.
The flaws affect:
- Dell PowerProtect Data Domain series appliances
- Data Domain Virtual Edition
- Dell APEX Protection Storage
- Data Domain Management Center
- PowerProtect DP Series Appliance (IDPA).
Dell has stated it is not aware of any active exploitation in the wild at the time of publication. Given the severity of the issues, administrators should apply the updates without delay.
Customers should upgrade to DD OS 7.13.1.70, 8.3.1.30, 8.6.1.10, 8.7.0.1, or later, depending on their release branch, using the Data Domain Download portal.
