What is the CVSS score of EUVD-2025-209709?

EUVD-2025-209709 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.2%.

Which versions of Hitachi Virtual Storage Platform are affected by EUVD-2025-209709?

CVE-2025-1978 is a critical remote code execution vulnerability affecting Hitachi Virtual Storage Platform storage controllers and maintenance consoles across enterprise and mid-range deployments.

How to fix or mitigate EUVD-2025-209709?

Within 24 hours: Identify all Hitachi VSP G, F, E, and One Block series systems in your environment and document current firmware versions via Storage Navigator; establish a maintenance window schedule. Within 7 days: Download vendor-released firmware patches for each affected product family from Hitachi support portal and apply to non-production systems for validation testing. Within 30 days: Complete production patching following Hitachi's staged rollout guidance, prioritizing systems with direct network exposure; verify patch application via firmware version confirmation post-reboot.

Hitachi Virtual Storage Platform EUVD-2025-209709

| CVE-2025-1978 HIGH

Code Injection (CWE-94)

2026-05-07 Hitachi

RCE Code Injection

8.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

May 07, 2026 - 09:01 vuln.today

CVE Published

May 07, 2026 - 08:05 nvd

HIGH 8.3

DescriptionNVD

Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance console in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28.

This issue affects Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28 : before DKCMAIN Ver. 88-08-16-xx/00, SVP Ver. 88-08-18-xx/00, before DKCMAIN Ver. 93-07-26-xx/00, SVP Ver. 93-07-26-xx/00, before DKCMAIN Ver. A3-04-02-xx/00, MPC Ver. A3-04-02-xx/00, before DKCMAIN Ver. A3-03-41-xx/00, MPC Ver. A3-03-41-xx/00, before DKCMAIN Ver. A3-03-03-xx/00, MPC Ver. A3-03-03-xx/00.

AnalysisAI

Remote code execution in Hitachi Virtual Storage Platform G, F, E, and One Block series allows unauthenticated network attackers to execute arbitrary code on storage controllers and maintenance consoles with low impact across confidentiality, integrity, and availability due to changed scope (CVSS 8.3, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C). The vulnerability affects the Storage Navigator interface and maintenance console across multiple VSP product lines spanning enterprise and mid-range storage arrays. EPSS data not available; no evidence of active exploitation or public POC at time of analysis. Vendor-released patches available with specific firmware versions required for each product family.

Technical ContextAI

This vulnerability affects Hitachi's Storage Navigator management interface and maintenance consoles (MPC/SVP) across the Virtual Storage Platform product portfolio. The CWE-94 classification indicates improper control of code generation or 'code injection', suggesting the vulnerability allows attacker-controlled input to be executed as code within the storage management stack. The affected components include DKCMAIN (disk controller main firmware) and either SVP (Service Processor) or MPC (Maintenance PC) depending on the platform generation. Storage Navigator provides web-based management for Hitachi enterprise storage arrays, handling configuration, monitoring, and administrative functions. The network-accessible attack vector and lack of authentication requirement suggest the vulnerability exists in unauthenticated portions of the management interface, potentially in request parsing, command processing, or API endpoints that fail to properly sanitize inputs before code execution or evaluation.

RemediationAI

Apply vendor-released firmware updates to affected Hitachi Virtual Storage Platform systems per the specific product family: upgrade DKCMAIN to version 88-08-16-xx/00 or later and SVP to 88-08-18-xx/00 or later for applicable G/F-series platforms; upgrade DKCMAIN and SVP to version 93-07-26-xx/00 or later for corresponding platforms; upgrade DKCMAIN and MPC to version A3-04-02-xx/00 or later for E-series and One Block systems; or upgrade DKCMAIN and MPC to versions A3-03-41-xx/00 or A3-03-03-xx/00 as specified in the Hitachi security advisory at https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_307.html. Firmware updates for storage controllers typically require maintenance windows and should follow Hitachi's upgrade procedures to avoid data availability impact. As an interim mitigation if patching cannot be immediately scheduled, restrict network access to Storage Navigator and maintenance console interfaces using firewall rules or access control lists, limiting connections to authorized management networks or jump hosts only; this reduces attack surface but may complicate remote administration workflows and does not eliminate risk from internal threats or compromised management systems.

EUVD-2025-209709 vulnerability details – vuln.today

Back