CVE-2023-5808

HIGH

Hitachi Vantara NAS SMU < 14.8.7825.01 - Authenticated Information Disclosure via URL Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-5808. PoCs published by Arszilla.

AI-analyzed exploit summary This PoC exploits an Insecure Direct Object Reference (IDOR) vulnerability in Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore functionality. It allows attackers with specific non-admin roles to download unencrypted backup archives by manipulating session cookies.

Description

SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in a Storage administrative role are able to access HNAS configuration backup and diagnostic data, that would normally be barred to that specific administrative role.

Exploits (1)

nomisec WORKING POC 2 stars
by Arszilla · poc
https://github.com/Arszilla/CVE-2023-5808

This PoC exploits an Insecure Direct Object Reference (IDOR) vulnerability in Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore functionality. It allows attackers with specific non-admin roles to download unencrypted backup archives by manipulating session cookies.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Hitachi NAS (HNAS) System Management Unit (SMU) < 14.8.7825.01
Auth required
Prerequisites: Valid credentials for a non-read-only, non-global admin account (e.g., Storage Administrator, Server Administrator) · Access to JSESSIONID and JSESSIONIDSSO cookies
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.6
EPSS 0.0054
EPSS Percentile 41.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-285 CWE-287
Status published
Products (1)
hitachi/vantara_hitachi_network_attached_storage < 14.8.7825.01
Published Dec 05, 2023
Tracked Since Feb 18, 2026