Connect with us

Hi, what are you looking for?


Data Protection

Dell Urges Customers to Patch Vulnerabilities in PowerProtect Products

Dell is informing PowerProtect DD product customers about 8 vulnerabilities, including many rated ‘high severity’, and urging them to install patches.

Dell is urging customers of its PowerProtect products to review a newly released security advisory and patch a series of potentially serious vulnerabilities.

The vulnerabilities impact PowerProtect Data Domain (DD) series appliances, which are designed to help organizations protect, manage and recover data at scale. APEX Protect Storage, PowerProtect DD Management Center, PowerProtect DP series appliances, and PowerProtect Data Manager appliances are also affected.

The most serious of the flaws — based on its CVSS score of 8.8 — is CVE-2023-44286, described as a DOM-based cross-site scripting (XSS) issue that allows a remote, unauthenticated attacker to inject malicious code into the targeted user’s browser. 

Exploitation could lead to client-side request forgery, session theft and information disclosure. While it’s not specified in Dell’s advisory, exploiting these types of flaws typically involves the attacker tricking the victim into clicking on a malicious link.  

Several other vulnerabilities have been assigned a ‘high severity’ rating, including OS command injection and improper access control flaws. 

The command injection bugs can be exploited to execute arbitrary commands on the underlying operating system with the privileges of the vulnerable exploitation, and they could allow an attacker to take over the targeted system. 

Exploitation requires local access and either low or elevated privileges. However, it may be possible for an attacker to exploit a vulnerability such as CVE-2023-44286 to achieve the authentication requirement.

The three medium-severity flaws found in PowerProtect products can be exploited by an authenticated attacker to bypass security restrictions and take over the system, gain read and write access to OS files, and execute arbitrary SQL commands on the application’s backend database and gain read access to app data. 

Advertisement. Scroll to continue reading.

“Dell Technologies released remediations for vulnerabilities that impact certain Dell PowerProtect Data Domain products. We encourage customers to immediately review and implement the remediation steps in Dell Security Advisory (DSA-2023-412) for affected products, versions and additional information. The security of our products is a top priority and critical to protecting our customers,” Dell said in a statement shared with SecurityWeek.

The company said it worked quickly to remediate the vulnerability and it’s currently not aware of any active exploitation. 

It’s worth noting that Dell product vulnerabilities are known to have been exploited by sophisticated threat actors in their attacks. 

Dell recently also informed customers about a high-severity privilege escalation vulnerability in PowerEdge Server BIOS, dozens of flaws in PowerMax and Unisphere products, and dozens of vulnerabilities impacting third-party components of VxRail Manager

Related: Enterprise, Consumer Devices Exposed to Attacks via Malicious UEFI Logo Images

Related: High-Severity UEFI Vulnerabilities Patched in Dell Enterprise Laptops

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...