Dell PowerProtect Data Domain: Arg Injection (cmd exec) pre-8.7.0.0, 8.3.1.020, 7.13.1.060
CVE-2026-35153 Published on April 17, 2026
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of argument delimiters in a command ('argument injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Vulnerability Analysis
CVE-2026-35153 can be exploited with local system access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an Argument Injection Vulnerability?
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CVE-2026-35153 has been classified to as an Argument Injection vulnerability or weakness.
Affected Versions
Dell PowerProtect Data Domain:- Before 8.6.1.10, 8.7.0.1 or later is affected.
- Before 8.3.1.30 or later is affected.
- Before 7.13.1.70 or later is affected.
- Before 2.7.9 with DD OS 8.3.1.30 is affected.