System Management Unit (SMU) versions prior to 14.8.7825.01, used to manage Hitachi Vantara NAS products is susceptible to unintended information disclosure via unprivileged access to SMU configuration backup data.

CVE-2023-6538

7.6HIGH

Key Information

Vendor: Hitachi
Status: System Management Unit (SMU)
Vendor: CVE Published:; 11 December 2023

Badges

👾 Exploit Exists🔴 Public PoC

Summary

SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles.

Affected Version(s)

System Management Unit (SMU) < 14.8.7825.01

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-6538
Created by Arszilla

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Dec 18, 2023
Vulnerability published.
Dec 11, 2023
Vulnerability Reserved.
Dec 5, 2023

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

Arslan Masood