CVE-2025-68919 is a vulnerability identified in Fujitsu / Fsas Technologies ETERNUS SF ACM/SC/Express, a storage management software suite used for managing ETERNUS storage systems. The issue arises from the improper handling of sensitive information within log files, classified under CWE-532 (Insertion of Sensitive Information into Log File). Specifically, maintenance data collected by the software is logged in a manner that allows access by users or principals other than the designated ETERNUS SF Administrator. This unauthorized access to sensitive logs can lead to confidentiality compromises, as attackers with low-level privileges but local access can read sensitive data that should be restricted. The vulnerability does not affect data integrity or availability directly but poses a significant risk to confidentiality. The CVSS v3.1 score is 5.6 (medium), reflecting the local attack vector (AV:L), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), and a scope change (S:C) with high confidentiality impact (C:H). No known exploits have been reported in the wild, and no official patches have been linked yet, though the affected versions are prior to 16.8-16.9.1 PA 2025-12. This vulnerability highlights the importance of secure logging practices and strict access controls on sensitive operational data within enterprise storage management environments.

For European organizations, the primary impact of CVE-2025-68919 is the potential exposure of sensitive maintenance and operational data through improperly secured log files. This can lead to unauthorized disclosure of confidential information, which may include system configurations, credentials, or other sensitive operational details. Such information leakage could facilitate further attacks or espionage, especially in sectors with high-value data such as finance, government, healthcare, and critical infrastructure. Although the vulnerability does not directly compromise system integrity or availability, the confidentiality breach alone can have severe regulatory and reputational consequences under GDPR and other data protection laws. Organizations relying on Fujitsu ETERNUS storage solutions for data management and backup operations are at risk, particularly if log access controls are lax or if multiple users share administrative privileges. The requirement for local access and low privileges reduces the attack surface but does not eliminate risk, especially in environments with many users or insufficient segregation of duties.

To mitigate CVE-2025-68919, European organizations should implement the following specific measures: 1) Immediately review and tighten access controls on log files generated by ETERNUS SF ACM/SC/Express to ensure only authorized administrators can access sensitive logs. 2) Employ strict role-based access control (RBAC) and segregate duties to limit the number of users with local access and administrative privileges. 3) Monitor and audit access to maintenance data and log files to detect unauthorized access attempts promptly. 4) Disable or restrict logging of sensitive information where feasible, or configure logs to mask or redact sensitive data. 5) Stay informed about Fujitsu’s security advisories and apply patches or updates as soon as they become available for versions 16.8-16.9.1 PA 2025-12 or later. 6) Conduct regular security training for administrators on secure handling of logs and sensitive operational data. 7) Consider network segmentation and endpoint security controls to limit local access to systems running the vulnerable software. These targeted actions go beyond generic advice by focusing on access control, monitoring, and operational security specific to the affected product and vulnerability.