Cyber Resilience

CVE-2026-24506

HighRCE

Published: 20 April 2026

Published
20 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24506 is a high-severity OS Command Injection (CWE-78) vulnerability in Dell PowerProtect Data (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24506 is an OS command injection vulnerability (CWE-78) in Dell PowerProtect Data Domain storage appliances. It affects versions 7.7.1.0 through 8.6, LTS2025 release versions 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.60. The vulnerability, published on 2026-04-20, has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

A high-privileged attacker with remote network access can exploit this vulnerability to achieve arbitrary command execution with root privileges on the affected system. Exploitation requires elevated privileges (PR:H) but low complexity (AC:L), no user interaction (UI:N), and operates over the network (AV:N) without changing scope (S:U).

Dell has published advisory DSA-2026-060, available at https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities, detailing a security update addressing this and other vulnerabilities in PowerProtect Data Domain. Security practitioners should consult the advisory for patch deployment instructions and mitigation guidance specific to affected versions.

EU & UK References

Vulnerability details

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to…

more

arbitrary command execution as root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

OS command injection in public-facing Dell appliance directly enables remote exploitation (T1190), Unix shell command execution (T1059.004), and privilege escalation to root (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-56102Shared CWE-78
CVE-2025-20029Shared CWE-78
CVE-2026-28774Shared CWE-78
CVE-2026-30809Shared CWE-78
CVE-2025-56077Shared CWE-78
CVE-2026-28773Shared CWE-78
CVE-2025-66210Shared CWE-78
CVE-2025-56094Shared CWE-78
CVE-2026-27635Shared CWE-78
CVE-2026-28269Shared CWE-78

Affected Assets

Dell
PowerProtect Data
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor patching directly eliminates the OS command injection vulnerability in affected Dell PowerProtect Data Domain versions.

prevent

Information input validation prevents OS command injection by ensuring inputs to the vulnerable component are sanitized and do not contain executable commands.

prevent

Least privilege limits high-privileged remote access, reducing the attack surface for exploitation requiring PR:H.

References