CVE-2025-9661 - Vulnerability Details

- OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23/24/26/28

Description

OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28.

This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.

Published: 2026-05-07

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An OS command injection flaw exists in the maintenance utility of the Hitachi Virtual Storage Platform One Block 23, 24, 26, and 28. When an attacker submits special input through the web‑based management interface, arbitrary shell commands can be executed on the underlying operating system. This type of vulnerability is a CWE‑78 flaw in input handling, allowing full compromise of confidentiality, integrity, and availability of the storage controller and any data therein.

Affected Systems

The flaw affects Hitachi Virtual Storage Platform One Block 23, 24, 26, and 28 running firmware versions prior to DKCMAIN A3‑04‑21‑40/00 or ESM A3‑04‑21/00. Any deployment on these product lines that has not yet applied these builds is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 classifies the risk as high. EPSS data are not provided, so the exact likelihood is unknown, though the absence of a KEV listing suggests that widespread exploitation has not yet been documented. The vulnerability is likely exploitable via the web‑based GUI, requiring access to the management network or compromised credentials. Internal attackers or those with network access to the control interface could continue to exploit the flaw until mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Hitachi

Hitachi Virtual Storage Platform One Block 23

unaffected

Version	Status	Constraints
`0`	affected	< DKCMAIN A3-04-21-40/00, ESM A3-04-21/00

Hitachi

Hitachi Virtual Storage Platform One Block 24

unaffected

Version	Status	Constraints
`0`	affected	< DKCMAIN A3-04-21-40/00, ESM A3-04-21/00

Hitachi

Hitachi Virtual Storage Platform One Block 26

unaffected

Version	Status	Constraints
`0`	affected	< DKCMAIN A3-04-21-40/00, ESM A3-04-21/00

Hitachi

Hitachi Virtual Storage Platform One Block 28

unaffected

Version	Status	Constraints
`0`	affected	< DKCMAIN A3-04-21-40/00, ESM A3-04-21/00

Configuration 1 [-]

OR	cpe:2.3:a:hitachi:virtual_storage_one_block:23:::::::*
	cpe:2.3:a:hitachi:virtual_storage_one_block:24:::::::*
	cpe:2.3:a:hitachi:virtual_storage_one_block:26:::::::*
	cpe:2.3:a:hitachi:virtual_storage_one_block:28:::::::*

No data.

Vendor Product Confidence Versions

Hitachi

Hitachi Virtual Storage Platform One Block 23

100%

Version	Status	Scheme	Platform
`[0,DKCMAIN A3-04-21-40/00, ESM A3-04-21/00)`	affected	generic	—

Hitachi

Hitachi Virtual Storage Platform One Block 24

100%

Version	Status	Scheme	Platform
`[0,DKCMAIN A3-04-21-40/00, ESM A3-04-21/00)`	affected	generic	—

Hitachi

Hitachi Virtual Storage Platform One Block 26

100%

Version	Status	Scheme	Platform
`[0,DKCMAIN A3-04-21-40/00, ESM A3-04-21/00)`	affected	generic	—

Hitachi

Hitachi Virtual Storage Platform One Block 28

100%

Version	Status	Scheme	Platform
`[0,DKCMAIN A3-04-21-40/00, ESM A3-04-21/00)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Hitachi Virtual Storage Platform firmware to at least DKCMAIN A3‑04‑21‑40/00 or ESM A3‑04‑21/00, which contain the fix for this command‑injection flaw.
Restrict access to the management GUI by tightening network segmentation, firewall rules, or VPN requirements so that only trusted IP addresses can reach the control interface.
Enforce strong authentication methods, consider multi‑factor authentication, and monitor logs for evidence of unexpected command execution or anomalous activity.

Generated by OpenCVE AI on May 7, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_309.html

History

Fri, 08 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hitachi virtual Storage One Block
CPEs		cpe:2.3:a:hitachi:virtual_storage_one_block:23:::::::* cpe:2.3:a:hitachi:virtual_storage_one_block:24:::::::* cpe:2.3:a:hitachi:virtual_storage_one_block:26:::::::* cpe:2.3:a:hitachi:virtual_storage_one_block:28:::::::*
Vendors & Products		Hitachi virtual Storage One Block

Thu, 07 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hitachi Hitachi hitachi Virtual Storage Platform One Block 23 Hitachi hitachi Virtual Storage Platform One Block 24 Hitachi hitachi Virtual Storage Platform One Block 26 Hitachi hitachi Virtual Storage Platform One Block 28
Vendors & Products		Hitachi Hitachi hitachi Virtual Storage Platform One Block 23 Hitachi hitachi Virtual Storage Platform One Block 24 Hitachi hitachi Virtual Storage Platform One Block 26 Hitachi hitachi Virtual Storage Platform One Block 28

Thu, 07 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 07 May 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28. This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.
Title		OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23/24/26/28
Weaknesses		CWE-78
References		https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_309.html
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Hitachi Hitachi Virtual Storage Platform One Block 23 Hitachi Virtual Storage Platform One Block 24 Hitachi Virtual Storage Platform One Block 26 Hitachi Virtual Storage Platform One Block 28 Virtual Storage One Block

MITRE

Status: PUBLISHED

Assigner: Hitachi

Published: 2026-05-07T07:08:14.823Z

Updated: 2026-05-07T13:02:35.204Z

Reserved: 2025-08-29T07:14:42.691Z

Link: CVE-2025-9661

Vulnrichment

Updated: 2026-05-07T13:02:22.155Z

NVD

Status : Analyzed

Published: 2026-05-07T08:16:00.317

Modified: 2026-05-08T16:59:28.053

Link: CVE-2025-9661

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T21:25:03Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object