Skip to main content

Hitachi Ops Center Analyzer CVE-2026-3314

| EUVDEUVD-2026-31795 MEDIUM
Missing Password Field Masking (CWE-549)
2026-05-26 Hitachi GHSA-43h6-xxqh-8cxp
4.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:31 vuln.today
Patch available
May 26, 2026 - 08:02 EUVD

DescriptionCVE.org

Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).

This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.

AnalysisAI

Password field masking is absent in Hitachi Ops Center Analyzer, Ops Center Analyzer viewpoint, and Hitachi Infrastructure Analytics Advisor, exposing plaintext credentials to anyone with physical or visual access to the UI. Affected components include the detail view, probe modules, and Analytics probe modules across a wide version range. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible automated exploitation probability.

Technical ContextAI

CWE-549 (Missing Password Field Masking) describes a UI-layer failure where input or display fields designated for sensitive credentials do not apply masking (e.g., asterisk substitution or hidden input types). In the context of Hitachi Ops Center Analyzer - an IT infrastructure monitoring and analytics platform - password fields within the detail view and probe module configuration interfaces render credentials in plaintext. The CVSS physical attack vector (AV:P) confirms exploitation requires direct proximity to the rendered interface. Affected CPEs include cpe:2.3:a:hitachi:hitachi_ops_center_analyzer, cpe:2.3:a:hitachi:hitachi_ops_center_analyzer_viewpoint, and cpe:2.3:a:hitachi:hitachi_infrastructure_analytics_advisor across all sub-versions prior to 11.0.8-00.

RemediationAI

The primary fix is to upgrade all affected products to version 11.0.8-00 or later, as confirmed by the vendor advisory at https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-120/index.html. This applies to Hitachi Ops Center Analyzer (from 10.0.0-00), Ops Center Analyzer viewpoint (from 10.8.1-00), and Hitachi Infrastructure Analytics Advisor (from 3.2.0-00). If immediate patching is not feasible, compensating controls should focus on physical and logical access restrictions: restrict access to workstations running the Ops Center console to authorized personnel only, enforce screen-lock policies to prevent unattended display of the UI, and consider deploying privacy screens on monitors in shared or open-floor environments. Additionally, rotate any credentials that may have been displayed in unmasked fields as a precaution. These mitigations reduce exposure but do not eliminate the underlying software defect.

Share

CVE-2026-3314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy