Platform
dell
Component
dell-powerprotect-data-domain
Fixed in
8.6.0.0
8.3.1.20
CVE-2026-23775 is a security vulnerability affecting Dell PowerProtect Data Domain appliances running Data Domain Operating System (DD OS) versions 8.0 through 8.5, and LTS2025 release versions 8.3.1.0 through 8.3.1.10. A low-privileged attacker with remote access can exploit this flaw to insert sensitive information into log files, potentially leading to credential exposure. The vulnerability is specifically triggered when retention lock is enabled, and a fix is available in version 8.6.0.0 or later.
CVE-2026-23775 affects Dell PowerProtect Data Domain appliances running the DD OS in Feature Release versions 8.0 through 8.5, and LTS2025 release version 8.3.1.0 through 8.3.1.10. It allows for the insertion of sensitive information into log files. A low-privileged attacker with remote access could potentially exploit this vulnerability, leading to credential exposures. Authentication attempts as the compromised user would need to be authorized by a high-privileged DD user. This vulnerability poses a risk to data confidentiality and integrity, as exposed credentials could enable unauthorized access to sensitive data stored within the Data Domain appliance.
A remote attacker with access to the Data Domain appliance could exploit this vulnerability by injecting sensitive data into the log files. This data could include usernames, passwords, or configuration-related information. The complexity of exploitation is relatively low, as it does not require elevated privileges to access the appliance. However, authorization for access as the compromised user requires a high-privileged DD user. The impact of exploitation can be significant, potentially allowing unauthorized access to sensitive data and compromising the appliance's security.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for this vulnerability is to update Dell PowerProtect Data Domain appliances to version 8.6.0.0 or later. Dell has released this update to address the issue and prevent the exposure of sensitive information. It is strongly advised to apply the update as soon as possible to minimize the risk of exploitation. Additionally, review and strengthen access and authentication policies to limit the potential impact should the vulnerability be exploited before the update is applied. Regular monitoring of system logs for suspicious activity is also recommended.
Update your Dell PowerProtect Data Domain appliances to version 8.6.0.0 or later, or to version 8.3.1.20 or later. See the Dell Security Advisory DSA-2026-060 for more details and update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
Affected versions are Feature Release 8.0 through 8.5 and LTS2025 8.3.1.0 through 8.3.1.10.
No for initial access, but yes for authentication as the compromised user.
Review and strengthen access policies, monitor logs, and consider network segmentation.
No, there is currently no KEV available for this vulnerability.
The update is available on the Dell support website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.