CVE-2025-9661
OS Command Injection in Hitachi Virtual Storage Platform One Block
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: Hitachi, Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hitachi | virtual_storage_platform_one_block | to esm_a3-04-21/00 (exc) |
| hitachi | virtual_storage_platform_one_block | to dkcmain_a3-04-21-40/00 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9661 is an OS command injection vulnerability found in the management GUI (maintenance utility) of Hitachi Virtual Storage Platform One Block models 23, 24, 26, and 28.
This vulnerability allows an attacker to inject operating system commands through the management interface, potentially leading to unauthorized command execution on the affected system.
How can this vulnerability impact me? :
This vulnerability can have a high impact as it allows remote attackers to execute arbitrary OS commands without any privileges or user interaction.
The CVSS v3.1 base score of 8.1 indicates a high severity, with potential impacts including complete compromise of confidentiality, integrity, and availability of the affected storage platform.
What immediate steps should I take to mitigate this vulnerability?
The permanent action to mitigate this vulnerability is to replace the microcode with a modified version (DKCMAIN A3-04-21-40/00, ESM A3-04-21/00).
No interim action is required.
Users are advised to confirm they are referencing the latest information due to potential updates.