CVE-2026-35154 Overview
CVE-2026-35154 is an improper privilege management vulnerability [CWE-269] affecting Dell PowerProtect Data Domain appliances. The flaw resides in the Dell Data Domain Operating System (DDOS) and allows a high-privileged local attacker to elevate privileges and perform unauthorized delete operations on protected data. Because Data Domain appliances serve as backup and recovery targets, unauthorized deletion directly undermines data integrity and recoverability guarantees. Dell has issued advisory DSA-2026-060 to address this issue along with other vulnerabilities in the same product family.
Critical Impact
A high-privileged local attacker can elevate privileges to perform unauthorized delete operations against backup data stored on Dell PowerProtect Data Domain appliances, threatening the confidentiality, integrity, and availability of protected datasets.
Affected Products
- Dell PowerProtect Data Domain appliances running DDOS versions 7.7.1.0 through 8.7.0.0
- Dell PowerProtect Data Domain LTS2025 release versions 8.3.1.0 through 8.3.1.20
- Dell PowerProtect Data Domain LTS2024 release versions 7.13.1.0 through 7.13.1.60
Discovery Timeline
- 2026-04-20 - CVE-2026-35154 published to NVD
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2026-35154
Vulnerability Analysis
The vulnerability is classified under [CWE-269]: Improper Privilege Management. Dell PowerProtect Data Domain enforces privilege boundaries between administrative roles to prevent any single account from bypassing retention and deletion controls. CVE-2026-35154 breaks that boundary. An authenticated local user with high privileges can perform delete operations that should require a separate authorization or role.
Data Domain appliances host long-term retention, replication targets, and compliance datasets. Unauthorized deletion of these resources can erase the only available recovery point following a ransomware incident. The CVSS vector indicates local attack surface and no user interaction, with high impact on confidentiality, integrity, and availability. EPSS data shows a low probability of in-the-wild exploitation at this time.
Root Cause
The root cause is improper enforcement of privilege separation within DDOS management functions. Code paths that execute delete operations do not adequately verify whether the calling identity holds the specific authorization required, allowing a high-privileged role to perform actions reserved for stricter administrative tiers such as security or retention officers.
Attack Vector
Exploitation requires local access to the appliance and an account with high privileges, such as an administrative shell or management console session. After authenticating, the attacker invokes delete-capable commands or API operations and leverages the privilege management defect to bypass the role-based check, deleting files, MTrees, or snapshots without dual-authorization. No verified public proof-of-concept is currently available. See the Dell Security Update Advisory for vendor-supplied technical context.
Detection Methods for CVE-2026-35154
Indicators of Compromise
- Unexpected delete operations against MTrees, snapshots, or backup files on Data Domain appliances outside of scheduled retention policies.
- Audit log entries showing administrative accounts executing destructive commands that historically required Security Officer co-authorization.
- Disabled, modified, or cleared retention lock and compliance settings prior to deletion events.
Detection Strategies
- Forward DDOS audit and sysadmin logs to a centralized SIEM and alert on filesys destroy, mtree delete, and snapshot deletion commands.
- Correlate administrative session activity with change management tickets to identify out-of-process delete operations.
- Baseline normal administrative behavior per account and alert on privilege escalation patterns or anomalous command sequences.
Monitoring Recommendations
- Continuously monitor authentication and command execution on all PowerProtect Data Domain appliances and replication peers.
- Track backup catalog integrity metrics, including file counts, MTree sizes, and snapshot inventories, for unexplained reductions.
- Review privileged account inventory weekly and remove unused or orphaned high-privilege accounts on the appliance.
How to Mitigate CVE-2026-35154
Immediate Actions Required
- Apply the Dell-supplied DDOS update referenced in advisory DSA-2026-060 to all affected appliances.
- Audit accounts with administrative, sysadmin, or security officer roles and reduce membership to the minimum required.
- Enable retention lock (compliance mode where supported) on critical MTrees to prevent deletion even by privileged accounts.
Patch Information
Dell has released fixed versions for Dell PowerProtect Data Domain via advisory DSA-2026-060. Customers should upgrade DDOS to a version newer than 8.7.0.0, LTS2025 newer than 8.3.1.20, or LTS2024 newer than 7.13.1.60 per the vendor advisory. Refer to the Dell Security Update Advisory for exact fixed-version numbers and upgrade procedures.
Workarounds
- Restrict local and management network access to Data Domain appliances using firewall ACLs and bastion hosts.
- Enforce multi-person authorization (Security Officer role) for destructive operations on MTrees and retention-locked data.
- Replicate critical backups to an air-gapped or immutable secondary tier so that deletion on one appliance does not destroy the last recovery point.
# Configuration example: enable retention lock and enforce security officer authorization
# Run from the Data Domain CLI with appropriate privileges
mtree retention-lock enable mode compliance mtree /data/col1/<mtree_name>
authorization policy set security-officer-authorization enabled
user role show
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

