The flaw, tracked as CVE-2026-23594, impacts HPE Alletra 6000, Alletra 5000, and Nimble Storage arrays running vulnerable firmware versions.
The vulnerability exists in specific configurations of the affected storage operating systems and enables remote privilege elevation when exploited.
With a CVSS v3.1 score of 8.8 (High), the flaw requires low attack complexity and only low-level privileges to exploit, making it particularly dangerous for enterprise environments where storage systems are network-accessible.
| CVE ID | CVSS 3.1 Vector | CVSS Score | Severity | Impact Type | Attack Vector |
|---|---|---|---|---|---|
| CVE-2026-23594 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 8.8 | High | Remote Privilege Elevation | Network |
According to HPE’s security bulletin HPESBST04995, successful exploitation grants attackers high impact across confidentiality, integrity, and availability, effectively providing complete system compromise.
The attack vector is network-based with no user interaction required, allowing threat actors to escalate from limited user accounts to complete administrative control.
The vulnerability affects multiple HPE storage product lines running Array OS versions before the patched releases.
Organizations using the following platforms should prioritize remediation:
| Product | Affected Versions |
|---|---|
| HPE Alletra 6000 | < 6.1.2.8006.1.3 < 6.1.3.300 |
| HPE Alletra 5000 | < 6.1.2.8006.1.3 < 6.1.3.300 |
| Nimble Storage Hybrid Flash | < 6.1.2.8006.1.3 < 6.1.3.300 |
| Nimble Storage All Flash | < 6.1.2.8006.1.3 < 6.1.3.300 |
HPE released security patches on January 20, 2026, to address the privilege escalation flaw.
Administrators should immediately upgrade vulnerable systems to one of the following patched versions: Alletra OS 6.1.2.800, Alletra OS 6.1.3.300.
The patches eliminate the configuration weakness that allowed privilege escalation, restoring proper access controls within the storage management interface.
Enterprise storage systems frequently contain business-critical data and serve as single points of failure for production environments.
Unauthorized administrative access could enable attackers to exfiltrate sensitive information, deploy ransomware, or disrupt storage operations across entire data centers.
Organizations should treat this vulnerability as a high priority and deploy patches in accordance with their change management procedures.
HPE recommends that customers apply third-party security patches in accordance with established patch management policies and contact HPE Services support for assistance with implementation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post HPE Alletra and Nimble Storage Vulnerability Grants Admin Access to Remote Attacker appeared first on Cyber Security News.
Miggo Security researchers have identified a critical vulnerability in LangSmith, tracked as CVE-2026-25750, that exposes…
In a massive international crackdown on cybercrime, law enforcement agencies from 72 countries have successfully…
Microsoft has officially acknowledged a critical bug affecting Windows 11 users on certain Samsung devices,…
More detailed budget documents and records of financial oversight meetings will now be provided to…
For the third time in 25 years, the town of Pembroke is considering a proposal…
A relatively small number of Kearsarge Regional Middle School students have in recent months incorporated…
This website uses cookies.