Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L
Network-accessible management plane, but high complexity to forge firmware signing token; authenticated and interactive update required; no confidentiality impact confirmed in description.
Primary rating from Vendor (Hitachi).
CVSS VectorVendor: Hitachi
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Lack of validation for firmware update in Hitachi Hitachi Virtual Storage Platform One Block 23, 24, 26, 28.
This issue affects Hitachi Virtual Storage Platform One Block 23, 24, 26, 28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.
AnalysisAI
Firmware update signature bypass in Hitachi Virtual Storage Platform One Block models 23, 24, 26, and 28 allows an authenticated remote attacker to supply unvalidated firmware packages, potentially compromising storage array integrity and availability. The root cause is CWE-347 (Improper Verification of Cryptographic Signature), and the 'Jwt Attack' tag suggests the firmware validation chain relies on a JWT-based signing mechanism that can be circumvented under specific conditions. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the self-disclosure by Hitachi with a coordinated patch release indicates vendor-confirmed severity.
Technical ContextAI
CWE-347 describes a failure to properly verify cryptographic signatures before trusting and acting on signed data. In this context, the affected firmware update subsystem of Hitachi VSP One Block (CPE: cpe:2.3:a:hitachi:hitachi_virtual_storage_platform_one_block_23,_24,_26,_28:*:*:*:*:*:*:*:*) does not rigorously validate the cryptographic signature or token (likely JWT-based, per the 'Jwt Attack' tag) accompanying a firmware package prior to applying it. Enterprise storage controllers typically gate firmware installations behind a signed manifest; a flaw in this gate allows crafted or forged update packages to bypass integrity checks. The vulnerability spans both the DKCMAIN disk controller firmware and ESM (Environmental Service Module) firmware components, indicating the validation gap exists across multiple update paths on the same platform.
RemediationAI
Upgrade Hitachi Virtual Storage Platform One Block models 23, 24, 26, and 28 to DKCMAIN firmware version A3-04-21-40/00 and ESM firmware version A3-04-21/00 or later, per the Hitachi security advisory at https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_308.html. As compensating controls pending patching, restrict access to the storage management interface to trusted administrator accounts only, enforce network segmentation so the management plane is not reachable from general corporate or untrusted networks, and audit firmware update activity logs for any unexpected update attempts. Disabling or tightly controlling who can initiate firmware update workflows reduces the PR:L + UI:R exploitation surface significantly. Note that network segmentation alone does not eliminate the risk if insider or compromised-credential scenarios are in scope.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210367
GHSA-vc2c-7fwx-x7mr