Skip to main content

Hitachi Virtual Storage Platform EUVDEUVD-2025-209711

| CVE-2025-2514 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-05-07 Hitachi GHSA-6g2f-5j4g-w6f4
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 09:00 vuln.today
CVE Published
May 07, 2026 - 07:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28.

This issue affects Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28  : before DKCMAIN Ver 88-08-16-xx/00, GUM Ver. 88-08-20/00, before DKCMAIN Ver 93-07-26-xx/00, GUM Ver. 93-07-26/00, before DKCMAIN Ver A3-04-02-xx/00, EMS Ver. A3-04-02/00, before DKCMAIN Ver A3-03-41-xx/00, EMS Ver. A3-03-41/00, before DKCMAIN Ver A3-03-03-xx/00, EMS Ver. A3-03-02/00.

AnalysisAI

Improper restriction of excessive authentication attempts in Hitachi Virtual Storage Platform series (G-series, F-series, E-series, and One Block models) allows unauthenticated remote attackers to conduct brute-force credential attacks and potentially obtain sensitive information through repeated authentication probes without rate-limiting or account lockout mechanisms. The vulnerability affects multiple firmware versions across 28 distinct storage array models and is remotely exploitable without authentication from the network.

Technical ContextAI

The vulnerability stems from a missing or ineffective authentication attempt rate-limiting control (CWE-307: Improper Restriction of Excessive Authentication Attempts) in Hitachi Virtual Storage Platform management interfaces. This authentication control flaw affects the GUM (Hitachi Virtual Storage Platform management software) and EMS (Element Management Software) components, as well as the core DKCMAIN firmware responsible for authentication processing in these enterprise storage arrays. The issue allows attackers to repeatedly submit authentication requests without triggering account lockout, throttling, or exponential backoff mechanisms that are standard security controls for protecting credential-based access to critical infrastructure. Affected CPE identifiers span firmware versions prior to DKCMAIN 88-08-16, 93-07-26, A3-04-02, and A3-03-41 across different storage platform generations.

RemediationAI

Apply the vendor-released firmware patches immediately for your storage platform series: DKCMAIN version 88-08-16 or later with GUM version 88-08-20 or later for G-series and F-series platforms; DKCMAIN version 93-07-26 or later with GUM version 93-07-26 or later for E-series platforms; DKCMAIN version A3-04-02 or later with EMS version A3-04-02 or later, or DKCMAIN A3-03-41 or later with EMS A3-03-41 or later for One Block platforms. Before patching, implement compensating controls: restrict network access to storage management interfaces (GUM/EMS ports) using firewall rules to allow only trusted administrative IP ranges; disable or block remote authentication endpoints if local-only administration is feasible; implement external rate-limiting and account lockout policies at the network perimeter (WAF or authentication proxy) if the storage platform does not provide sufficient internal controls. Monitor authentication logs for repeated failed login attempts across all models to detect active exploitation. Coordinate patching carefully in production environments following Hitachi's maintenance windows, as firmware updates to storage arrays require careful scheduling.

Share

EUVD-2025-209711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy