HPE Alletra and Nimble Storage Vulnerability Allows Remote Attackers to Gain Admin Access

Hewlett Packard Enterprise (HPE) has released a security bulletin for a high‑severity vulnerability affecting HPE Alletra and Nimble Storage arrays.

The flaw, tracked as CVE-2026-23594, could allow a remote attacker with low-level access to gain full administrative control on affected systems.

The issue is described in Security Bulletin HPESBST04995 rev.1, published on 20 January 2026 and last updated on 21 January 2026.

HPE classifies the impact as “Remote: Increased Privilege”, meaning the attacker can elevate their permissions once they can connect to the device.

Vulnerability details

The vulnerability exists in certain configurations of HPE Alletra 6000, HPE Alletra 5000, and HPE Nimble Storage Array OS.

According to HPE, a remote attacker with low privileges can exploit this flaw to escalate to higher privileges, including administrative access.

HPE rates the bug with a CVSS v3.1 base score of 8.8 (High), using the following vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

This score indicates:

• Network‑accessible (AV:N)
• Low attack complexity (AC:L)
• Requires low privileges (PR:L)
• No user interaction required (UI:N)
• High impact on confidentiality, integrity, and availability (C:H/I:H/A:H)

In practice, this means that once an attacker has basic authenticated access over the network, they may be able to compromise the storage system fully.

HPE notes that only specific versions of Alletra OS / Nimble OS are impacted. Systems running the following versions are vulnerable:

• HPE Alletra 6000 – versions prior to 6.1.2.800, and 6.1.3 prior to 6.1.3.300
• HPE Alletra 5000 – versions prior to 6.1.2.800, and 6.1.3 prior to 6.1.3.300
• HPE Nimble Storage Hybrid Flash Arrays – versions prior to 6.1.2.800, and 6.1.3 prior to 6.1.3.300
• Nimble Storage All Flash Arrays – versions prior to 6.1.2.800, and 6.1.3 prior to 6.1.3.300

HPE has released the following updates to address the flaw:

• Alletra / Nimble OS 6.1.2.800
• Alletra / Nimble OS 6.1.3.300

CVE ID	Severity (CVSS v3.1)	Vector	Impact	Affected Products / Versions	Fixed Versions
CVE-2026-23594	8.8 (High)	AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	Remote privilege escalation to admin	HPE Alletra 6000, Alletra 5000, Nimble Storage Hybrid Flash & All Flash Arrays – OS < 6.1.2.800; 6.1.3 < 6.1.3.300	6.1.2.800, 6.1.3.300

Administrators should:

• Immediately upgrade affected arrays to 6.1.2.800 or 6.1.3.300 (or later).
• Review access controls to ensure only trusted accounts can authenticate to management interfaces.
• Align patching with internal patch management policies and monitor HPE’s security bulletin and update channels for future advisories.

HPE customers can contact HPE support or the HPE Product Security Response Team for assistance in implementing these fixes or reporting new issues.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post HPE Alletra and Nimble Storage Vulnerability Allows Remote Attackers to Gain Admin Access appeared first on Cyber Security News.