Device Manager
Monthly
Configuration Manager versions up to 11.0.5-00 is affected by insertion of sensitive information into log file (CVSS 5.2).
CVE-2025-30025 is a local privilege escalation vulnerability in the inter-process communication (IPC) protocol between a server process and its service control mechanism, caused by insecure deserialization (CWE-502). An authenticated local attacker with limited privileges can exploit this flaw to escalate to higher privileges, potentially gaining complete system compromise including confidentiality, integrity, and availability impact. While the CVSS score of 7.8 indicates high severity, the local attack vector and requirement for prior authentication mean this affects primarily multi-user systems or scenarios where an attacker has already gained initial local access.
The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack.
CVE-2025-30023 is a critical remote code execution vulnerability in a client-server communication protocol that allows authenticated users to execute arbitrary code on affected systems. The flaw affects users with valid credentials who can access the affected service over an adjacent network segment, potentially compromising confidentiality, integrity, and availability across trust boundaries. While specific product details are limited in the provided data, this represents a high-severity risk requiring immediate patching, particularly if actively exploited or if public proof-of-concept code exists.
Kyocera Device Manager before 3.1.1213.0 allows NTLM credential exposure during UNC path authentication via a crafted change from a local path to a UNC path. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Improper Validation of Certificate with Host Mismatch vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Server, Device Manager Agent, Host Data Collector components) allows. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Cleartext Transmission of Sensitive Information vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Server, Device Manager Agent, Host Data Collector components) allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A user with permission to log on to the machine hosting the AXIS Device Manager client could under certain conditions extract a memory dump from the built-in Windows Task Manager application. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 allows an unauthenticated remote user to trigger a denial of service (DoS) condition because of Uncontrolled Resource Consumption. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Previous releases of the Puppet device_manager module creates configuration files containing credentials that are world readable. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An Information Exposure issue was discovered in Hitachi Command Suite 8.5.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 allows remote attackers to redirect users to arbitrary web sites. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Tuning Manager before 8.5.2-00 allows remote attackers to redirect authenticated users to arbitrary web sites. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to read arbitrary files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
RMI vulnerability in Hitachi Device Manager before 8.5.2-01 allows remote attackers to execute internal commands without authentication via RMI ports. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the online help in Hitachi Device Manager, Tiered Storage Manager, Replication Manager, and Global Link Manager before 8.1.2-00, and Compute Systems. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
Configuration Manager versions up to 11.0.5-00 is affected by insertion of sensitive information into log file (CVSS 5.2).
CVE-2025-30025 is a local privilege escalation vulnerability in the inter-process communication (IPC) protocol between a server process and its service control mechanism, caused by insecure deserialization (CWE-502). An authenticated local attacker with limited privileges can exploit this flaw to escalate to higher privileges, potentially gaining complete system compromise including confidentiality, integrity, and availability impact. While the CVSS score of 7.8 indicates high severity, the local attack vector and requirement for prior authentication mean this affects primarily multi-user systems or scenarios where an attacker has already gained initial local access.
The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack.
CVE-2025-30023 is a critical remote code execution vulnerability in a client-server communication protocol that allows authenticated users to execute arbitrary code on affected systems. The flaw affects users with valid credentials who can access the affected service over an adjacent network segment, potentially compromising confidentiality, integrity, and availability across trust boundaries. While specific product details are limited in the provided data, this represents a high-severity risk requiring immediate patching, particularly if actively exploited or if public proof-of-concept code exists.
Kyocera Device Manager before 3.1.1213.0 allows NTLM credential exposure during UNC path authentication via a crafted change from a local path to a UNC path. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Improper Validation of Certificate with Host Mismatch vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Server, Device Manager Agent, Host Data Collector components) allows. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Cleartext Transmission of Sensitive Information vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Server, Device Manager Agent, Host Data Collector components) allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A user with permission to log on to the machine hosting the AXIS Device Manager client could under certain conditions extract a memory dump from the built-in Windows Task Manager application. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 allows an unauthenticated remote user to trigger a denial of service (DoS) condition because of Uncontrolled Resource Consumption. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Previous releases of the Puppet device_manager module creates configuration files containing credentials that are world readable. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An Information Exposure issue was discovered in Hitachi Command Suite 8.5.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 allows remote attackers to redirect users to arbitrary web sites. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Tuning Manager before 8.5.2-00 allows remote attackers to redirect authenticated users to arbitrary web sites. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to read arbitrary files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
RMI vulnerability in Hitachi Device Manager before 8.5.2-01 allows remote attackers to execute internal commands without authentication via RMI ports. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the online help in Hitachi Device Manager, Tiered Storage Manager, Replication Manager, and Global Link Manager before 8.1.2-00, and Compute Systems. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.