Description
OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28.

This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.
Published: 2026-05-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in the maintenance utility of the Hitachi Virtual Storage Platform One Block 23, 24, 26, and 28. When an attacker submits special input through the web‑based management interface, arbitrary shell commands can be executed on the underlying operating system. This type of vulnerability is a CWE‑78 flaw in input handling, allowing full compromise of confidentiality, integrity, and availability of the storage controller and any data therein.

Affected Systems

The flaw affects Hitachi Virtual Storage Platform One Block 23, 24, 26, and 28 running firmware versions prior to DKCMAIN A3‑04‑21‑40/00 or ESM A3‑04‑21/00. Any deployment on these product lines that has not yet applied these builds is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 classifies the risk as high. EPSS data are not provided, so the exact likelihood is unknown, though the absence of a KEV listing suggests that widespread exploitation has not yet been documented. The vulnerability is likely exploitable via the web‑based GUI, requiring access to the management network or compromised credentials. Internal attackers or those with network access to the control interface could continue to exploit the flaw until mitigated.

Generated by OpenCVE AI on May 7, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hitachi Virtual Storage Platform firmware to at least DKCMAIN A3‑04‑21‑40/00 or ESM A3‑04‑21/00, which contain the fix for this command‑injection flaw.
  • Restrict access to the management GUI by tightening network segmentation, firewall rules, or VPN requirements so that only trusted IP addresses can reach the control interface.
  • Enforce strong authentication methods, consider multi‑factor authentication, and monitor logs for evidence of unexpected command execution or anomalous activity.

Generated by OpenCVE AI on May 7, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28. This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.
Title OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23/24/26/28
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Hitachi

Published:

Updated: 2026-05-07T13:02:35.204Z

Reserved: 2025-08-29T07:14:42.691Z

Link: CVE-2025-9661

cve-icon Vulnrichment

Updated: 2026-05-07T13:02:22.155Z

cve-icon NVD

Status : Received

Published: 2026-05-07T08:16:00.317

Modified: 2026-05-07T08:16:00.317

Link: CVE-2025-9661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T08:30:25Z

Weaknesses