CVE-2026-35154
Improper Privilege Management in Dell PowerProtect IDRAC Enables Privilege Escalation
Publication date: 2026-04-20
Last updated on: 2026-04-28
Assigner: Dell
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dell | data_domain_operating_system | From 7.13.1.0 (inc) to 7.13.1.70 (exc) |
| dell | data_domain_operating_system | From 8.3.0.0 (inc) to 8.3.1.30 (exc) |
| dell | data_domain_operating_system | From 8.4.0.0 (inc) to 8.6.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The impact of this vulnerability is significant because it allows a high privileged attacker with local access to escalate their privileges further. This could lead to unauthorized deletion of data or configurations within the IDRAC system, potentially causing data loss, disruption of services, or compromise of system integrity.
Can you explain this vulnerability to me?
This vulnerability exists in Dell PowerProtect Data Domain appliances, specifically in versions 7.7.1.0 through 8.7.0.0 and certain LTS2025 and LTS2024 release versions. It is an improper privilege management issue within the IDRAC component. A highly privileged attacker who has local access to the system could exploit this flaw to elevate their privileges, allowing them to perform unauthorized delete operations within IDRAC.