Vulnerability-Lookup

CNVD-2026-18585

Vulnerability from cnvd - Published: 2026-04-21

Title

Dell PowerProtect Data Domain Data Domain Operating System命令注入漏洞

Description

Dell PowerProtect Data Domain是一款数据保护专用存储设备，其主要功能是提供高效的数据去重、备份和恢复。 Dell PowerProtect Data Domain存在命令注入漏洞。该漏洞源于Data Domain Operating System未能正确处理用户输入，攻击者可利用该漏洞通过远程注入恶意命令获取root级别访问权限。

Severity

高

Patch Name

Dell PowerProtect Data Domain Data Domain Operating System命令注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-23778

Impacted products

Name
['DELL PowerProtect Data Domain >=7.7.1.0，<=8.5', 'DELL PowerProtect Data Domain >=LTS2025 8.3.1.0，<8.3.1.20', 'DELL PowerProtect Data Domain >=LTS2024 7.13.1.0，<=7.13.1.50']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-23778",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-23778"
    }
  },
  "description": "Dell PowerProtect Data Domain\u662f\u4e00\u6b3e\u6570\u636e\u4fdd\u62a4\u4e13\u7528\u5b58\u50a8\u8bbe\u5907\uff0c\u5176\u4e3b\u8981\u529f\u80fd\u662f\u63d0\u4f9b\u9ad8\u6548\u7684\u6570\u636e\u53bb\u91cd\u3001\u5907\u4efd\u548c\u6062\u590d\u3002\n\nDell PowerProtect Data Domain\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eData Domain Operating System\u672a\u80fd\u6b63\u786e\u5904\u7406\u7528\u6237\u8f93\u5165\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u8fdc\u7a0b\u6ce8\u5165\u6076\u610f\u547d\u4ee4\u83b7\u53d6root\u7ea7\u522b\u8bbf\u95ee\u6743\u9650\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-18585",
  "openTime": "2026-04-21",
  "patchDescription": "Dell PowerProtect Data Domain\u662f\u4e00\u6b3e\u6570\u636e\u4fdd\u62a4\u4e13\u7528\u5b58\u50a8\u8bbe\u5907\uff0c\u5176\u4e3b\u8981\u529f\u80fd\u662f\u63d0\u4f9b\u9ad8\u6548\u7684\u6570\u636e\u53bb\u91cd\u3001\u5907\u4efd\u548c\u6062\u590d\u3002\r\n\r\nDell PowerProtect Data Domain\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eData Domain Operating System\u672a\u80fd\u6b63\u786e\u5904\u7406\u7528\u6237\u8f93\u5165\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u8fdc\u7a0b\u6ce8\u5165\u6076\u610f\u547d\u4ee4\u83b7\u53d6root\u7ea7\u522b\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell PowerProtect Data Domain Data Domain Operating System\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "DELL PowerProtect Data Domain \u003e=7.7.1.0\uff0c\u003c=8.5",
      "DELL PowerProtect Data Domain \u003e=LTS2025 8.3.1.0\uff0c\u003c8.3.1.20",
      "DELL PowerProtect Data Domain \u003e=LTS2024 7.13.1.0\uff0c\u003c=7.13.1.50"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2026-23778",
  "serverity": "\u9ad8",
  "submitTime": "2026-04-20",
  "title": "Dell PowerProtect Data Domain Data Domain Operating System\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2026-23778 (GCVE-0-2026-23778)

Vulnerability from cvelistv5 – Published: 2026-04-17 08:33 – Updated: 2026-04-18 03:55

Summary

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to gain root-level access.

Severity ?

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Assigner

dell

References

URL

Tags

https://www.dell.com/support/kbdoc/en-us/00045069…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Dell	PowerProtect Data Domain	Affected: 0 , < 8.6.0.0 or later (semver) Affected: 0 , < 8.3.1.20 or later (semver) Affected: 0 , < 7.13.1.50 or later (semver) Affected: 0 , < 2.7.9 with DD OS 8.3.1.30 (semver)

Date Public ?

2026-04-15 18:30

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23778",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-18T03:55:49.150Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PowerProtect Data Domain",
          "vendor": "Dell",
          "versions": [
            {
              "lessThan": "8.6.0.0 or later",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.1.20 or later",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.13.1.50 or later",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.7.9 with DD OS 8.3.1.30",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-04-15T18:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to gain root-level access."
            }
          ],
          "value": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to gain root-level access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T08:33:21.569Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2026-23778",
    "datePublished": "2026-04-17T08:33:21.569Z",
    "dateReserved": "2026-01-16T06:05:50.873Z",
    "dateUpdated": "2026-04-18T03:55:49.150Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-18585

CVE-2026-23778 (GCVE-0-2026-23778)

Tags

Sightings

Nomenclature