HP Data Protector Express (DPX) contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability exists because the affected software improperly handles user-supplied input when creating new folders. An unauthenticated, remote attacker could exploit this vulnerability by creating malicious folders on a targeted system. If successful, the attacker could execute arbitrary code on the system with SYSTEM-level privileges.
Functional code that exploits this vulnerability is available as part of the Metasploit framework.
HP has confirmed the vulnerability and released updated software.