Pending AnalysisCVE-2026-23777

CVE-2026-23777: Information Exposure in Dell PowerProtect Data Domain

Platform

linux

Component

dell-powerprotect-datadomain

Fixed in

8.6.0.0 or later

View on NVD

Save

CVE-2026-23777 describes an information exposure vulnerability present in Dell PowerProtect Data Domain. This flaw allows a low-privileged attacker with remote access to potentially retrieve sensitive data. The vulnerability impacts versions 7.7.1.0 through 8.5, LTS2025 versions 8.3.1.0 through 8.3.1.20, and LTS2024 versions 7.13.1.0 through 7.13.1.50. Dell recommends upgrading to version 8.6.0.0 or later to address this issue.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-23777 could lead to the unauthorized disclosure of sensitive data stored within the Dell PowerProtect Data Domain system. The specific data exposed is not detailed, but given the nature of Data Domain systems, it could include backups of critical business data, configuration files, or other confidential information. An attacker gaining access to this data could use it for further attacks, such as data breaches, extortion, or identity theft. The low privilege requirement for exploitation broadens the potential attack surface, as many users within an organization might have remote access to the system.

Exploitation Context

CVE-2026-23777 was published on April 17, 2026. Its severity is rated as MEDIUM. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.01% (1% percentile)

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: Low — partial or indirect data access. Attacker gains limited information.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: None — no availability impact. Service remains fully operational.

Affected Software

Componentdell-powerprotect-datadomain

VendorDell

Minimum version7.7.1.0

Maximum version8.6.0.0 or later

Fixed in8.6.0.0 or later

Weakness Classification (CWE)

CWE-200

Timeline

Published2026-04-17
EPSS updated2026-04-24

Mitigation and Workarounds

The primary mitigation for CVE-2026-23777 is to upgrade Dell PowerProtect Data Domain to version 8.6.0.0 or later. Before upgrading, review Dell's compatibility matrix to ensure the new version is compatible with your existing infrastructure and applications. If an immediate upgrade is not feasible, consider implementing network segmentation to restrict remote access to the Data Domain system. Review and strengthen access controls to limit the number of users with remote access privileges. While a WAF or proxy cannot directly mitigate this vulnerability, they can help detect and block suspicious activity related to potential exploitation attempts.

How to fix

Actualice su sistema Dell PowerProtect Data Domain a la versión 8.6.0.0 o posterior, o a la versión 8.3.1.20 o posterior, o a la versión 7.13.1.50 o posterior, o a la versión 2.7.9 con DD OS 8.3.1.30 para mitigar la vulnerabilidad de exposición de información sensible. Consulte la nota de seguridad DSA-2026-060 para obtener más detalles e instrucciones de actualización.

Frequently asked questions

What is CVE-2026-23777 — Information Exposure in Dell PowerProtect Data Domain?

CVE-2026-23777 is a medium-severity vulnerability affecting Dell PowerProtect Data Domain versions 7.7.1.0–8.6.0.0, allowing remote attackers to potentially expose sensitive information.

Am I affected by CVE-2026-23777 in Dell PowerProtect Data Domain?

You are affected if your Dell PowerProtect Data Domain is running versions 7.7.1.0 through 8.5, LTS2025 versions 8.3.1.0 through 8.3.1.20, or LTS2024 versions 7.13.1.0 through 7.13.1.50.

How do I fix CVE-2026-23777 in Dell PowerProtect Data Domain?

Upgrade your Dell PowerProtect Data Domain to version 8.6.0.0 or later. Review Dell's compatibility matrix before upgrading.

Is CVE-2026-23777 being actively exploited?

Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-23777, but monitoring is advised.

Where can I find the official Dell advisory for CVE-2026-23777?

Refer to the official Dell Security Advisory for CVE-2026-23777, which can be found on the Dell Support website (search for CVE-2026-23777).

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Browse files