CVE-2023-6538

HIGH

SMU <14.8.7825.01 - Info Disclosure

Title source: llm

Description

SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles.

Exploits (2)

nomisec WORKING POC 1 stars

by Arszilla · poc

https://github.com/Arszilla/CVE-2023-6538

View Code ZIP pw:eip

exploitdb WORKING POC

by Arslan Masood · pythonremotehardware

https://www.exploit-db.com/exploits/51915

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://knowledge.hitachivantara.com/Security/System_Management_Unit_(SMU)_versions_prior_to_14.8.7825.01%2C_used_to_manage_Hitachi_Vantara_NAS_products_is_susceptible_to_unintended_information_disclosure_via_unprivileged_access_to_SMU_configuration_backup_data.

Scores

CVSS v3 7.6

EPSS 0.0530

EPSS Percentile 89.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Classification

CWE

CWE-285

Status published

Affected Products (1)

hitachi/system_management_unit_firmware < 14.8.7825.01

Timeline

Published Dec 11, 2023

Tracked Since Feb 18, 2026