CVE-2026-23594: High-Severity Flaw in HPE Alletra & Nimble Grants Admin Access

Hewlett Packard Enterprise (HPE) has issued a security alert for storage administrators, warning of a high-severity vulnerability affecting its flagship enterprise storage arrays. The flaw, tracked as CVE-2026-23594, carries a CVSS score of 8.8, signaling a significant risk to organizations relying on these systems for critical data management.

The vulnerability affects HPE Alletra and Nimble Storage arrays, potentially allowing attackers to gain unauthorized control over the operating system.

The core of the issue lies in how the storage operating system handles permissions in specific setups. According to the security bulletin, “A vulnerability in certain configurations of Alletra 6000, Alletra 5000, and HPE Nimble Storage Array OS could lead to remote privilege elevation”.

This means a remote attacker—someone not physically present at the data center—could exploit this flaw to escalate their privileges, potentially gaining administrative control over the storage array. In an enterprise environment, such access could be catastrophic, allowing an intruder to exfiltrate sensitive data, disrupt operations, or deploy ransomware directly onto the backup and storage infrastructure.

The vulnerability spans several product lines in HPE’s portfolio. Administrators should immediately check if they are running the following hardware:

• HPE Alletra 6000 & 5000
• HPE Nimble Storage Hybrid Flash Arrays
• Nimble Storage All Flash Arrays

The flaw impacts software versions prior to 6.1.2.800 and 6.1.3 prior to 6.1.3.300 across all these platforms.

HPE has moved quickly to close this security hole. Storage admins are urged to upgrade their array OS to version 6.1.2.800 or 6.1.3.300 immediately to mitigate the risk of unauthorized access.

Related Posts:

• Bluetooth Broken? Apache NimBLE Flaws Enable Spoofing & Eavesdropping
• HPE Servers Exposed: Critical Vulnerability Demands Urgent Firmware Update
• CVSS 9.8 Alert: Critical Flaws in HPE Insight Remote Support Enable RCE & File Access
• HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points
• CVSS 9.8 Vulnerabilities Expose Aruba Access Points to RCE: HPE Urges Immediate Action

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.