Numerous attacks on Dell PowerProtect Data Domain possible
In current versions of Dell PowerProtect Data Domain, developers have closed vulnerabilities.
(Image: AFANASEV IVAN/Shutterstock.com)
Actually, Dell PowerProtect Data Domain is supposed to protect data in on-premise and multi-cloud environments. However, due to numerous security vulnerabilities, attackers can attack instances.
The Dangers
As a security advisory indicates, the now-closed vulnerabilities are in components such as Apache Commons FileUpload and OpenSSL, which PowerProtect Data Domain uses. However, the application is also vulnerable itself. The developers assure that they have resolved the security issues in versions 7.13.1.70, 8.3.1.30, 8.6.1.10, and 8.7.0.1.
The majority of the closed vulnerabilities are classified with the threat level “high.” For example, attackers can exploit a DoS vulnerability (CVE-2025-48976) in Apache Commons FileUpload to trigger crashes. However, there are also “critical” vulnerabilities. For instance, malicious code can enter systems via an SQLite vulnerability (CVE-2025-6965).
More than a Dozen Root Security Vulnerabilities
PowerProtect Data Domain is vulnerable, among other things, via a root security vulnerability (CVE-2026-26944 “high”). Because authentication is missing for critical functions, attackers can remotely exploit the vulnerability and execute malicious code with root privileges. In such a case, a complete compromise of a system is to be expected. Thirteen additional root vulnerabilities have been closed.
Videos by heise
Additionally, attackers can access instances due to insufficiently protected credentials (CVE-2025-36568 “high”). So far, Dell has no indication that attackers are already exploiting the vulnerabilities. However, since that can change quickly, administrators should not delay patching.
Most recently, in March, Dell closed several security vulnerabilities in Dell Secure Connect Gateway Policy Manager.
❌ Missing, not defective, authentication × Dell describes CVE-2026-26944 as missing authentication for critical functions, meaning authentication is completely missing for certain critical functions. “Defective” incorrectly implies that authentication exists but is flawed. Insert: Because authentication is missing for critical functions ✅ Accept × Reject (des)
