Skip to main content

Hitachi Virtual Storage Platform One Block EUVD-2025-209708

| CVE-2025-9661 HIGH
OS Command Injection (CWE-78)
2026-05-07 Hitachi
Command Injection
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 07:45 vuln.today
CVE Published
May 07, 2026 - 07:08 nvd
HIGH 8.1

DescriptionNVD

OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28.

This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.

AnalysisAI

Remote command injection in Hitachi Virtual Storage Platform One Block versions 23, 24, 26, and 28 allows unauthenticated attackers to execute arbitrary OS commands through the management GUI maintenance utility. The vulnerability affects the DKCMAIN and ESM components prior to versions A3-04-21-40/00 and A3-04-21/00 respectively. With CVSS 8.1 (High) and network attack vector, this represents significant risk to enterprise storage infrastructure, though AC:H indicates exploitation requires specialized conditions. No active exploitation confirmed (not in CISA KEV) and EPSS data not available at time of analysis.

Technical ContextAI

This vulnerability stems from improper neutralization of special elements used in OS commands (CWE-78), commonly occurring when user input from web interfaces is passed unsanitized to shell commands or system() calls. The affected component is the management GUI's maintenance utility, which likely provides administrative functions for the storage platform. Hitachi Virtual Storage Platform One Block is an enterprise-grade block storage solution used in data center environments for mission-critical applications. The CPE entries identify four affected product versions (23, 24, 26, 28), indicating this is a multi-version issue affecting recent product lines. The DKCMAIN component appears to be the main disk controller firmware, while ESM likely refers to the Ethernet Switch Module or management subsystem, both critical infrastructure components requiring elevated security posture.

RemediationAI

Upgrade to patched firmware versions: DKCMAIN A3-04-21-40/00 or later and ESM A3-04-21/00 or later as specified in Hitachi security advisory 2026_309 (https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_309.html). Firmware updates for enterprise storage platforms require careful planning and testing in non-production environments before deployment. As immediate compensating controls while planning the upgrade: isolate management GUI access to dedicated out-of-band management networks with strict firewall rules permitting only authorized administrator IP addresses (note: this reduces attack surface but does not eliminate risk from authenticated malicious insiders or pivoted attackers). Implement network segmentation to ensure storage management interfaces are not reachable from general corporate networks or the internet. Enable comprehensive logging on management interface access and monitor for unusual maintenance utility activity or command execution patterns. Deploy web application firewall rules to detect common command injection payloads targeting the maintenance utility endpoints if WAF placement is feasible (trade-off: may cause false positives with legitimate administrative operations, requires baseline understanding of normal maintenance utility behavior). Review and remove any unnecessary network routes to storage management interfaces.

Share

EUVD-2025-209708 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy