Dell PowerProtect Data Domain: Critical Weak Credentials Vulnerability

The National Vulnerability Database (NVD) has disclosed CVE-2026-23853, a high-severity use of weak credentials vulnerability impacting Dell PowerProtect Data Domain with Data Domain Operating System (DD OS). Specifically, feature release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.50 are affected. This flaw carries a CVSS score of 8.4 (HIGH).

This isn’t a theoretical issue. An unauthenticated attacker with local access can exploit this vulnerability, potentially gaining unauthorized control over the system. The critical aspect here is the local access requirement – it points to an insider threat scenario or an attacker who has already achieved initial access through other means. Once local, the weak credentials provide a straightforward path to privilege escalation or lateral movement.

For defenders, this is a clear call to action. Dell PowerProtect Data Domain systems often hold an organization’s most critical data backups. Unauthorized access here could lead to data exfiltration, tampering, or even the deletion of backup sets, crippling recovery efforts during a ransomware attack or other disaster. The attacker’s calculus is simple: target the data that hurts the most when compromised.