CVE-2025-2902 Overview
CVE-2025-2902 is an improper authorization vulnerability [CWE-862] in the Maintenance Utility of Hitachi Virtual Storage Platform (VSP). The flaw affects multiple VSP model families, including the E-series, 5000-series, and G/F-series storage systems. An authenticated attacker with low privileges can exploit the network-accessible Maintenance Utility to compromise data integrity and disrupt storage availability. Hitachi has released updated DKCMAIN and Gateway for Unified Management (GUM) firmware to address the issue.
Critical Impact
Authenticated attackers can bypass authorization controls in the VSP Maintenance Utility to modify storage configurations and disrupt enterprise storage operations.
Affected Products
- Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H — before DKCMAIN Ver. 93-07-26-xx/00 and GUM Ver. 93-07-26/00
- Hitachi Virtual Storage Platform 5100, 5500, 5100H, 5500H, 5200, 5600, 5200H, 5600H — before DKCMAIN Ver. 90-09-27-00/00 and GUM Ver. 90-09-27/00
- Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900 — before DKCMAIN Ver. 88-08-16-xx/00 and GUM Ver. 88-08-20/00
Discovery Timeline
- 2026-06-29 - CVE-2025-2902 published to NVD
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2025-2902
Vulnerability Analysis
The vulnerability resides in the Maintenance Utility component of Hitachi VSP storage arrays. This utility provides administrative operations for firmware, configuration, and diagnostics on the storage controller. The flaw is classified as Missing Authorization [CWE-862], meaning the utility fails to enforce required permission checks for certain operations.
An attacker with valid low-privileged credentials can invoke maintenance functions that should be restricted to higher-privileged roles. Because the Maintenance Utility runs on the storage controller's Gateway for Unified Management (GUM), successful exploitation directly impacts the integrity of storage configuration data and the availability of hosted volumes.
Root Cause
The Maintenance Utility does not properly validate the authorization level of the authenticated caller before executing privileged operations. Access control decisions rely on incomplete role checks, allowing lower-privileged accounts to perform actions reserved for administrators. The issue exists in both the DKCMAIN controller firmware and the GUM management firmware across affected VSP model families.
Attack Vector
Exploitation requires network access to the Maintenance Utility interface and valid credentials for any account recognized by the system. The attacker sends crafted maintenance requests that trigger privileged code paths without the required authorization. No user interaction is required. Successful exploitation yields high impact to integrity and availability, with limited confidentiality exposure. Detailed proof-of-concept code is not publicly available. See the Hitachi Security Information advisory for vendor technical details.
Detection Methods for CVE-2025-2902
Indicators of Compromise
- Unexpected configuration changes to LDEVs, host groups, or port settings originating from non-administrator accounts.
- Maintenance Utility audit log entries showing privileged operations executed by low-privileged user IDs.
- Anomalous GUM firmware activity or unscheduled controller service disruptions on affected VSP models.
Detection Strategies
- Enable and centralize Maintenance Utility and GUM audit logs, then alert on privileged commands executed outside change windows.
- Correlate authentication events with subsequent maintenance actions to identify authorization mismatches between the caller and the operation performed.
- Baseline normal administrative behavior per user role and flag deviations such as low-privileged accounts accessing maintenance endpoints.
Monitoring Recommendations
- Restrict and monitor network reachability to the VSP management interfaces from designated administrative subnets only.
- Forward VSP syslog and Simple Network Management Protocol (SNMP) events into a centralized SIEM for continuous review.
- Review account inventories on the storage arrays and remove stale or unnecessary low-privilege accounts that could serve as an exploitation foothold.
How to Mitigate CVE-2025-2902
Immediate Actions Required
- Identify all VSP arrays in scope and confirm their current DKCMAIN and GUM firmware versions against the fixed releases listed by Hitachi.
- Apply the vendor-supplied firmware updates for the affected VSP model family as soon as maintenance windows allow.
- Rotate credentials for all Maintenance Utility accounts and remove unused or shared accounts.
- Restrict Maintenance Utility network access to a dedicated, isolated management network.
Patch Information
Hitachi has released fixed firmware for each affected model family. Upgrade VSP E-series systems to DKCMAIN Ver. 93-07-26-xx/00 and GUM Ver. 93-07-26/00 or later. Upgrade VSP 5000-series systems to DKCMAIN Ver. 90-09-27-00/00 and GUM Ver. 90-09-27/00 or later. Upgrade VSP G/F-series systems to DKCMAIN Ver. 88-08-16-xx/00 and GUM Ver. 88-08-20/00 or later. Refer to the Hitachi Security Information advisory for exact upgrade guidance.
Workarounds
- Place the Maintenance Utility interface behind a jump host or bastion with strict access controls until firmware is applied.
- Enforce network-layer access control lists (ACLs) that limit management traffic to authorized administrator source IPs.
- Audit and reduce the number of user accounts with any level of access to the Maintenance Utility, applying least privilege.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

