Impact
The vulnerability is caused by a lack of validation during firmware updates on Hitachi Virtual Storage Platform. Because the system does not verify the authenticity or integrity of firmware files, an attacker could replace legitimate firmware with a malicious one. This grants the attacker complete control over the storage device, enabling compromise of data confidentiality, integrity, and availability. The weakness maps to CWE‑347: Improper Validation of Trust‑or‑Security‑Critical Parameters.
Affected Systems
Hitachi Virtual Storage Platform One Block 23, 24, 26, and 28 that are running firmware before DKCMAIN A3-04-21-40/00 or ESM A3-04-21/00 are affected. These versions lack the validation logic required for secure firmware upgrades.
Risk and Exploitability
The CVSS score of 3.7 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that exploitation requires privileged or local access to the device’s management interface or physical access. Those who can send update commands can install arbitrary firmware and gain full control of the system.
OpenCVE Enrichment