Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).
This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.
AnalysisAI
Password field masking is absent in Hitachi Ops Center Analyzer, Ops Center Analyzer viewpoint, and Hitachi Infrastructure Analytics Advisor, exposing plaintext credentials to anyone with physical or visual access to the UI. Affected components include the detail view, probe modules, and Analytics probe modules across a wide version range. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible automated exploitation probability.
Technical ContextAI
CWE-549 (Missing Password Field Masking) describes a UI-layer failure where input or display fields designated for sensitive credentials do not apply masking (e.g., asterisk substitution or hidden input types). In the context of Hitachi Ops Center Analyzer - an IT infrastructure monitoring and analytics platform - password fields within the detail view and probe module configuration interfaces render credentials in plaintext. The CVSS physical attack vector (AV:P) confirms exploitation requires direct proximity to the rendered interface. Affected CPEs include cpe:2.3:a:hitachi:hitachi_ops_center_analyzer, cpe:2.3:a:hitachi:hitachi_ops_center_analyzer_viewpoint, and cpe:2.3:a:hitachi:hitachi_infrastructure_analytics_advisor across all sub-versions prior to 11.0.8-00.
RemediationAI
The primary fix is to upgrade all affected products to version 11.0.8-00 or later, as confirmed by the vendor advisory at https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-120/index.html. This applies to Hitachi Ops Center Analyzer (from 10.0.0-00), Ops Center Analyzer viewpoint (from 10.8.1-00), and Hitachi Infrastructure Analytics Advisor (from 3.2.0-00). If immediate patching is not feasible, compensating controls should focus on physical and logical access restrictions: restrict access to workstations running the Ops Center console to authorized personnel only, enforce screen-lock policies to prevent unattended display of the UI, and consider deploying privacy screens on monitors in shared or open-floor environments. Additionally, rotate any credentials that may have been displayed in unmasked fields as a precaution. These mitigations reduce exposure but do not eliminate the underlying software defect.
More in Hitachi Ops Center Analyzer
View allSame weakness CWE-549 – Missing Password Field Masking
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31795
GHSA-43h6-xxqh-8cxp