Skip to main content

Storage Navigator CVE-2025-7386

| EUVDEUVD-2025-210366 MEDIUM
Insufficiently Protected Credentials (CWE-522)
2026-06-29 Hitachi GHSA-6x35-h74f-24j6
6.8
CVSS 3.1 · Vendor: Hitachi
Share

Severity by source

Vendor (Hitachi) PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.8 MEDIUM

PR:H confirmed by storage admin access requirement; S:C reflects exposed credentials enabling compromise of systems beyond Storage Navigator; no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (Hitachi).

CVSS VectorVendor: Hitachi

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 07:16 vuln.today

DescriptionCVE.org

Information exposure vulnerability in Hitachi Storage Navigator.

This issue affects Hitachi Virtual Storage Platform 5100, 5200, 5500, 5600, 5100H, 5200H, 5500H, 5600H, VX8: before DKCMAIN Ver. 90-09-24-00/00, SVP Ver. 90-09-24/00, before DKCMAIN Ver. 90-08-86-00/00, SVP Ver. 90-08-86/00; Hitachi Virtual Storage Platform G1000, G1500, F1500, VX7: before DKCMAIN Ver. 80-06-96-00/00, SVP Ver. 80-06-91/00.

AnalysisAI

Credential exposure in Hitachi Storage Navigator allows authenticated storage administrators to extract insufficiently protected credentials through the network-accessible management interface, potentially enabling lateral movement to systems outside the storage platform's authorization boundary. Affected platforms span the Hitachi VSP 5000-series and G/F/VX-series enterprise storage arrays running pre-patch firmware versions on both the DKCMAIN and SVP components. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS Scope:Changed metric indicates that exposed credentials could be leveraged against systems well beyond Storage Navigator itself.

Technical ContextAI

Hitachi Storage Navigator is the web-based management interface for Hitachi Virtual Storage Platform enterprise storage arrays. The affected firmware components are the DKCMAIN (disk controller main firmware) and SVP (service processor), which jointly handle storage operations and the management plane. The root cause is CWE-522 (Insufficiently Protected Credentials), indicating that credentials accessible within the Storage Navigator interface are stored or transmitted without adequate protection - potentially in cleartext, weakly encoded, or in a location accessible to privileged users beyond their intended scope. The CVSS Scope:Changed metric indicates that credentials exposed through this vulnerability can be used to compromise systems outside the Storage Navigator authorization boundary, such as upstream management hosts or integrated identity systems. Two distinct CPE-identified product families are affected: cpe:2.3:a:hitachi:hitachi_virtual_storage_platform_5100,_5200,_5500,_5600,_5100h,_5200h,_5500h,_5600h,_vx8 and cpe:2.3:a:hitachi:hitachi_virtual_storage_platform_g1000,_g1500,_f1500,_vx7.

RemediationAI

Administrators should upgrade affected VSP 5100/5200/5500/5600/5100H/5200H/5500H/5600H/VX8 systems to DKCMAIN Ver. 90-09-24-00/00 with SVP Ver. 90-09-24/00, or to DKCMAIN Ver. 90-08-86-00/00 with SVP Ver. 90-08-86/00 for the applicable firmware branch; VSP G1000/G1500/F1500/VX7 systems should be upgraded to DKCMAIN Ver. 80-06-96-00/00 with SVP Ver. 80-06-91/00. Full patch guidance and firmware acquisition are available at the Hitachi advisory: https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_301.html. As compensating controls prior to patching, restrict Storage Navigator network reachability to a dedicated, firewalled management VLAN - this directly reduces the AV:N exposure surface even while the credential protection flaw persists. Additionally, audit and minimize accounts with storage administrator privileges (reducing the population of accounts whose compromise enables exploitation), rotate any service account or integration credentials that may have been exposed through the interface, and review administrative session logs for anomalous access patterns. Note that VLAN isolation does not eliminate the risk for insider threats with legitimate management-network access.

Share

CVE-2025-7386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy