CVE-2026-1166 identifies an open redirect vulnerability in Hitachi Ops Center Administrator, a management platform for Hitachi storage solutions. The vulnerability exists in versions from 10.2.0 before 11.0.8 and is classified under CWE-601, which involves improper validation of URLs used for redirection. An attacker can exploit this flaw by crafting malicious URLs that appear to originate from the legitimate Hitachi Ops Center Administrator domain but redirect users to arbitrary, potentially malicious external websites. This can be leveraged in phishing campaigns or social engineering attacks to deceive users into divulging sensitive information or downloading malware. The vulnerability does not require authentication, increasing its accessibility to attackers, but does require user interaction to follow the malicious link. The CVSS 3.1 base score of 4.3 reflects a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and no availability impact. No public exploits or active exploitation have been reported to date. The lack of direct impact on confidentiality or availability limits the severity, but the risk remains significant due to the potential for indirect compromise through social engineering. Mitigation primarily involves patching to version 11.0.8 or later, which addresses the improper URL validation. Additional mitigations include implementing strict input validation on redirect parameters, employing web application firewalls to detect suspicious redirect patterns, and educating users to recognize suspicious links. Organizations should monitor for phishing attempts leveraging this vulnerability and review their security awareness programs accordingly.

The primary impact of CVE-2026-1166 is the potential for attackers to redirect users to malicious websites via crafted URLs that appear to originate from a trusted Hitachi Ops Center Administrator domain. This can facilitate phishing attacks, credential theft, or malware distribution, indirectly compromising user trust and potentially leading to broader security incidents. Since the vulnerability does not affect confidentiality or availability directly, the immediate technical damage is limited. However, the integrity of user navigation is compromised, which can have cascading effects if users are deceived into performing unsafe actions. Organizations relying on Hitachi Ops Center Administrator for critical storage management may face reputational damage and increased risk of social engineering attacks targeting their administrators or users. The ease of exploitation without authentication and the widespread use of Hitachi storage solutions in enterprise environments increase the potential attack surface. Although no known exploits are currently active, the vulnerability's presence in widely deployed infrastructure management software makes it a notable risk that should be addressed promptly.

1. Apply official patches or upgrade Hitachi Ops Center Administrator to version 11.0.8 or later as soon as they become available to eliminate the vulnerability. 2. Implement strict server-side validation of all URL redirect parameters to ensure they only point to trusted internal destinations, rejecting or sanitizing any untrusted inputs. 3. Deploy web application firewalls (WAFs) with rules designed to detect and block suspicious open redirect attempts targeting the Ops Center Administrator interface. 4. Conduct targeted user awareness training for administrators and users of the Ops Center Administrator platform to recognize and avoid clicking on suspicious or unexpected links, especially those purporting to be from the management console. 5. Monitor logs and network traffic for unusual redirect patterns or spikes in phishing attempts referencing Hitachi Ops Center Administrator URLs. 6. Where possible, implement multi-factor authentication and session management controls to reduce the impact of any successful social engineering attempts. 7. Review and restrict outbound web access from critical management systems to limit exposure to malicious external sites in case of redirection.