The vulnerability arises from the lack of a mechanism to limit consecutive failed authentication attempts on the Hitachi Virtual Storage Platform. Attackers can repeatedly attempt to guess credentials without encountering account lockout or throttling, after which they can gain access to the administrative interface. The flaw falls under CWE‑307 (Improper Restriction of Excessive Authentication Attempts) and could lead to unauthorized control over the storage system, including configuration changes, data exfiltration, or service disruption.

Affected variants include the Hitachi Virtual Storage Platform lines G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, as well as E390, E590, E790, E990, E1090 and their enhanced H‑series counterparts, and the One Block series (23, 24, 26, 28). The vulnerability applies to firmware versions prior to DKCMAIN Ver 88‑08‑16‑xx/00, GUM Ver 88‑08‑20/00, DKCMAIN Ver 93‑07‑26‑xx/00, GUM Ver 93‑07‑26/00, DKCMAIN Ver A3‑04‑02‑xx/00, EMS Ver A3‑04‑02/00, DKCMAIN Ver A3‑03‑41‑xx/00, EMS Ver A3‑03‑41/00, DKCMAIN Ver A3‑03‑03‑xx/00, and EMS Ver A3‑03‑02/00. Current releases after these build numbers contain the fix.

The CVSS base score of 5.3 indicates a moderate impact. EPSS is not available, so the current estimated likelihood of exploitation is unknown, but the lack of an account lockout mechanism suggests a high potential for brute‑force attacks if the management interface is exposed. The vulnerability is not listed in the CISA KEV catalog, so no known active exploitation has been reported, but the presence of an unauthenticated attack path warrants timely patching. Attackers would first need network access to the management plane, and could then repeatedly submit login requests until credentials are discovered.