EUVD-2025-209255
GHSA-h2gf-w3wm-8xqj
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13.
Analysis
Remote code execution in Hitachi's JP1/IT Desktop Management suite allows authenticated network attackers to execute arbitrary code on Windows systems running Manager, Operations Director, and Client components. Affects multiple product generations spanning versions 9.x through 13.x across nine distinct product lines. CVSS score of 8.8 reflects network-accessible attack surface with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though CWE-73 (external control of file name or path) indicates potential for path traversal-based exploitation. Hitachi has released patches addressing versions 13-50-02, 13-11-04, 13-10-07, 13-01-07, 13-00-05, and 12-60-12 for actively supported products.
Technical Context
This vulnerability manifests in Hitachi's enterprise systems management platform built on the Job Management Partner framework, specifically affecting desktop management and software distribution components running on Windows infrastructure. The CWE-73 classification identifies improper neutralization of special elements in file paths, suggesting attackers can manipulate file name or path parameters to reference unauthorized system resources. Given the product's role in centralized IT asset management, software distribution, and network device management across corporate environments, vulnerable components likely expose file upload, configuration import, or software deployment interfaces over the network. The affected CPE strings encompass three product evolution stages: legacy JP1/NETM/DM and Software Distribution series (v9.x), JP1/IT Desktop Management (v9-10), and current JP1/IT Desktop Management 2 (v10-13), indicating a longstanding architectural weakness persisting across platform iterations.
Affected Products
Affected products include JP1/IT Desktop Management 2 - Manager versions 13-50 through 13-50-01, 13-11 through 13-11-03, 13-10 through 13-10-06, 13-01 through 13-01-06, 13-00 through 13-00-04, 12-60 through 12-60-11, and 10-50 through 12-50-11 on Windows. JP1/IT Desktop Management 2 - Operations Director shares identical affected version ranges. Legacy products include Job Management Partner 1/IT Desktop Management 2 - Manager (10-50 through 10-50-11), JP1/IT Desktop Management - Manager and Job Management Partner 1/IT Desktop Management - Manager (both 09-50 through 10-10-16), JP1/NETM/DM Manager and Client (09-00 through 10-20-02), and Job Management Partner 1/Software Distribution Manager and Client (09-00 through 09-51-13). Complete version-specific CPE identifiers are available via the Hitachi Security Advisory at https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html.
Remediation
Organizations must immediately upgrade affected Hitachi JP1 components to patched versions as detailed in Hitachi Security Advisory hitachi-sec-2026-118. For JP1/IT Desktop Management 2 - Manager and Operations Director, apply version 13-50-02 (for 13-50 series), 13-11-04 (for 13-11 series), 13-10-07 (for 13-10 series), 13-01-07 (for 13-01 series), 13-00-05 (for 13-00 series), or 12-60-12 (for 12-60 series). Organizations running legacy versions 10-50 through 12-50-11 should consult Hitachi support for migration paths, as these fall outside standard support lifecycles. For end-of-life products (JP1/NETM/DM, Software Distribution 9.x series), migration to supported JP1/IT Desktop Management 2 platforms is required. Interim risk reduction measures include restricting network access to JP1 management interfaces via firewall rules, implementing multi-factor authentication for all management accounts, and monitoring file system activity for unusual path traversal patterns in JP1 service logs. Full remediation guidance is available at https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today