CVE-2026-24506

HighRCE

Published: 20 April 2026

Published

20 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24506 is a high-severity OS Command Injection (CWE-78) vulnerability in Dell PowerProtect Data (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through vendor patching directly eliminates the OS command injection vulnerability in affected Dell PowerProtect Data Domain versions.

SI-10 Information Input Validation good match

prevent

Information input validation prevents OS command injection by ensuring inputs to the vulnerable component are sanitized and do not contain executable commands.

AC-6 Least Privilege partial match

prevent

Least privilege limits high-privileged remote access, reducing the attack surface for exploitation requiring PR:H.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

OS command injection in public-facing Dell appliance directly enables remote exploitation (T1190), Unix shell command execution (T1059.004), and privilege escalation to root (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to…

arbitrary command execution as root.

Deeper analysisAI

CVE-2026-24506 is an OS command injection vulnerability (CWE-78) in Dell PowerProtect Data Domain storage appliances. It affects versions 7.7.1.0 through 8.6, LTS2025 release versions 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.60. The vulnerability, published on 2026-04-20, has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

A high-privileged attacker with remote network access can exploit this vulnerability to achieve arbitrary command execution with root privileges on the affected system. Exploitation requires elevated privileges (PR:H) but low complexity (AC:L), no user interaction (UI:N), and operates over the network (AV:N) without changing scope (S:U).

Dell has published advisory DSA-2026-060, available at https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities, detailing a security update addressing this and other vulnerabilities in PowerProtect Data Domain. Security practitioners should consult the advisory for patch deployment instructions and mitigation guidance specific to affected versions.