An attacker can cause arbitrary code execution on a Windows system running any of Hitachi’s JP1/IT Desktop Management 2, JP1/NETM/DM, or Job Management Partner 1 components that satisfy the vulnerability matrix. The flaw, identified as CWE-73, arises from unsanitized handling of user‑controlled input, allowing execution of commands that target the underlying operating system. Successful exploitation would break confidentiality, integrity, and availability of the affected services and any data they manage.

Affected vendors include Hitachi, with products JP1/IT Desktop Management 2 – Manager, Operations Director, JP1/IT Desktop Management – Manager, JP1/NETM/DM – Manager and Client, and Job Management Partner 1 – IT Desktop Management, IT Desktop Management 2 – Manager, Software Distribution Manager, and Software Distribution Client. Vulnerable versions range from 09‑50 through 10‑10‑16 for the JP1/IT Desktop Management series, from 09‑00 through 10‑20‑02 for the JP1/NETM/DM series, and from 09‑00 through 09‑51‑13 for the Job Management Partner 1 Software Distribution series. Within each series, all releases before the specified version markers (e.g., before 13‑50‑02, before 13‑11‑04, before 13‑10‑07, before 13‑01‑07, before 13‑00‑05, before 12‑60‑12, and earlier 10‑50 through 12‑50‑11) are affected.

The CVSS score of 8.8 classifies the vulnerability as high severity. The EPSS score is not provided, so the current exploitation probability cannot be quantified from the available data. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack vector requires network access to the management components, as the flaw is a remote code execution vulnerability on Windows installations of the product.