Hitachi VSP One Block OS Command Injection (CVE-2025-9661) CVSS 8.1
The National Vulnerability Database has detailed CVE-2025-9661, an OS command injection vulnerability residing in the management GUI (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26, and 28. This critical flaw, with a CVSS score of 8.1 (HIGH), allows unauthenticated attackers to execute arbitrary operating system commands.
The vulnerability specifically impacts Hitachi Virtual Storage Platform One Block versions 23, 24, 26, and 28 before DKCMAIN A3-04-21-40/00 and ESM A3-04-21/00. The National Vulnerability Database highlights that the attack vector is network-based with low attack complexity, requiring no privileges or user interaction, making it a highly attractive target for opportunistic attackers.
This isn’t just a theoretical issue; command injection vulnerabilities in management interfaces are a direct pathway to full system compromise. Defenders must recognize that an attacker exploiting this could gain deep access to storage infrastructure, potentially leading to data exfiltration, service disruption, or further lateral movement within the network. The high confidentiality, integrity, and availability impacts underscore the severity.
What This Means For You
- If your organization utilizes Hitachi Virtual Storage Platform One Block, immediately verify your firmware versions. Patch all affected systems *before* DKCMAIN A3-04-21-40/00 and ESM A3-04-21/00 without delay. Prioritize this fix, as the lack of authentication and user interaction makes it an easy target for network-based attacks.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2025-9661 - Hitachi VSP One Block OS Command Injection via Maintenance Utility
title: CVE-2025-9661 - Hitachi VSP One Block OS Command Injection via Maintenance Utility
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2025-9661 by targeting the maintenance utility endpoint with a command injection payload in the 'cmd' query parameter. This is a direct indicator of exploitation of the OS command injection vulnerability in Hitachi Virtual Storage Platform One Block.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2025-9661/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/maintenance/utility'
cs-uri-query|contains:
- 'cmd='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-9661 | Command Injection | Hitachi Virtual Storage Platform One Block 23, 24, 26, 28 |
| CVE-2025-9661 | Command Injection | management gui (maintenance utility) |
| CVE-2025-9661 | Command Injection | Hitachi Virtual Storage Platform One Block 23/24/26/28 before DKCMAIN A3-04-21-40/00 |
| CVE-2025-9661 | Command Injection | Hitachi Virtual Storage Platform One Block 23/24/26/28 before ESM A3-04-21/00 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 07, 2026 at 11:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44407 — Denial of Service
CVE-2026-44407 — A remote denial-of-service vulnerability exists in the ZTE Cloud PC client uSmartview, which may lead to memory corruption and remote denial of service....
CVE-2026-27421 — WProyal Royal Elementor Addons Cross-Site Scripting (XSS)
CVE-2026-27421 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS. This issue affects Royal...
CVE-2026-27416 — BPlugins PDF Poster Vulnerability
CVE-2026-27416 — Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF Poster: from n/a through...