View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Energy Asset Suite
Vulnerabilities: Incomplete List of Disallowed Inputs, Plaintext Storage of a Password, Out-of-bounds Write, Release of Invalid Pointer or Reference
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to the target equipment, perform remote code executions, or escalate privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:
Asset Suite AnyWhere for Inventory (AWI) Android mobile app: Versions 11.5 and prior (CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290)
Asset Suite 9 series: Version 9.6.4.4 (CVE-2025-1484, CVE-2025-2500)
Asset Suite 9 series: Version 9.7 (CVE-2025-2500)
3.2 VULNERABILITY OVERVIEW
3.2.1 INCOMPLETE LIST OF DISALLOWED INPUTS CWE-184
A vulnerability exists in the media upload component of the Asset Suite versions listed above. If successfully exploited an attacker could impact the confidentiality or integrity of the system. An attacker can use this vulnerability to construct a request that will cause JavaScript code supplied by the attacker to execute within the user’s browser in the context of that user’s session with the application.
CVE-2025-1484 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-1484. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N).
3.2.2 PLAINTEXT STORAGE OF A PASSWORD CWE-256
A vulnerability exists in the SOAP Web services of the Asset Suite versions listed above. If successfully exploited, an attacker could gain unauthorized access to the product and the time window of a possible password attack could be expanded.
CVE-2025-2500 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2500. A base score of 9.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.3 OUT-OF-BOUNDS WRITE CWE-787
A vulnerability exists in the MPEG4Extractor component of the media extractor. If successfully exploited, an attacker could trigger an out-of-bounds write, potentially leading to remote code execution.
CVE-2019-9262 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.4 OUT-OF-BOUNDS WRITE CWE-787
A vulnerability exists in the profman component due to memory corruption. If successfully exploited, an attacker could trigger an out-of-bounds write, potentially leading to unauthorized local escalation of privileges.
CVE-2019-9429 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.5 OUT-OF-BOUNDS WRITE CWE-787
A vulnerability exists in the libmediaextractor component. If successfully exploited, an attacker could trigger an out-of-bounds write due to an integer overflow, potentially leading to remote code execution.
CVE-2019-9256 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.6 RELEASE OF INVALID POINTER OR REFERENCE CWE-763
A vulnerability exists in the tzdata component due to a mismatch between allocation and deallocation functions. If successfully exploited, an attacker could trigger memory corruption, potentially leading to local escalation of privilege.
CVE-2019-9290 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi Energy PSIRT reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:
(CVE-2025-1484) Asset Suite version 9.6.4.4: Update to Asset Suite Version 9.6.4.5 when available
(CVE-2025-1484) Asset Suite version 9.6.4.4: Apply General Mitigation Factors/Workarounds
(CVE-2025-2500) Asset Suite version 9.6.4.4, Asset Suite version 9.7: Apply General Mitigation Factors/Workarounds
(CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290) Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 (awi_11.5_armv7) and earlier: Apply General Mitigation Factors/Workarounds
Hitachi Energy recommends the following general mitigation factors and workarounds:Recommended security practices and firewall configurations can help protect process control networks from external attacks. These practices include ensuring that process control systems are physically protected from unauthorized access by unauthorized personnel, do not have direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports. Additional configurations should be evaluated on a case-by-case basis. Process control systems should not be used for web browsing, instant messaging, or receiving email. Portable computers and removable storage media should be thoroughly scanned for viruses before connecting to a control system.
For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000212 CYBERSECURITY ADVISORY – Cross-Site Scripting & Mobile Application Vulnerabilities in Hitachi Energy’s Asset Suite Product.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
July 15, 2025: Initial Republication of Hitachi Energy PSIRT 8DBD000212
View CSAF
1. EXECUTIVE SUMMARY
- CVSS v4 9.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: Energy Asset Suite
- Vulnerabilities: Incomplete List of Disallowed Inputs, Plaintext Storage of a Password, Out-of-bounds Write, Release of Invalid Pointer or Reference
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to the target equipment, perform remote code executions, or escalate privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:
- Asset Suite AnyWhere for Inventory (AWI) Android mobile app: Versions 11.5 and prior (CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290)
- Asset Suite 9 series: Version 9.6.4.4 (CVE-2025-1484, CVE-2025-2500)
- Asset Suite 9 series: Version 9.7 (CVE-2025-2500)
3.2 VULNERABILITY OVERVIEW
A vulnerability exists in the media upload component of the Asset Suite versions listed above. If successfully exploited an attacker could impact the confidentiality or integrity of the system. An attacker can use this vulnerability to construct a request that will cause JavaScript code supplied by the attacker to execute within the user’s browser in the context of that user’s session with the application.
CVE-2025-1484 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-1484. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N).
A vulnerability exists in the SOAP Web services of the Asset Suite versions listed above. If successfully exploited, an attacker could gain unauthorized access to the product and the time window of a possible password attack could be expanded.
CVE-2025-2500 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2500. A base score of 9.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
A vulnerability exists in the MPEG4Extractor component of the media extractor. If successfully exploited, an attacker could trigger an out-of-bounds write, potentially leading to remote code execution.
CVE-2019-9262 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A vulnerability exists in the profman component due to memory corruption. If successfully exploited, an attacker could trigger an out-of-bounds write, potentially leading to unauthorized local escalation of privileges.
CVE-2019-9429 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A vulnerability exists in the libmediaextractor component. If successfully exploited, an attacker could trigger an out-of-bounds write due to an integer overflow, potentially leading to remote code execution.
CVE-2019-9256 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A vulnerability exists in the tzdata component due to a mismatch between allocation and deallocation functions. If successfully exploited, an attacker could trigger memory corruption, potentially leading to local escalation of privilege.
CVE-2019-9290 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi Energy PSIRT reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:
- (CVE-2025-1484) Asset Suite version 9.6.4.4: Update to Asset Suite Version 9.6.4.5 when available
- (CVE-2025-1484) Asset Suite version 9.6.4.4: Apply General Mitigation Factors/Workarounds
- (CVE-2025-2500) Asset Suite version 9.6.4.4, Asset Suite version 9.7: Apply General Mitigation Factors/Workarounds
- (CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290) Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 (awi_11.5_armv7) and earlier: Apply General Mitigation Factors/Workarounds
Hitachi Energy recommends the following general mitigation factors and workarounds:
Recommended security practices and firewall configurations can help protect process control networks from external attacks. These practices include ensuring that process control systems are physically protected from unauthorized access by unauthorized personnel, do not have direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports. Additional configurations should be evaluated on a case-by-case basis. Process control systems should not be used for web browsing, instant messaging, or receiving email. Portable computers and removable storage media should be thoroughly scanned for viruses before connecting to a control system.
For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000212 CYBERSECURITY ADVISORY – Cross-Site Scripting & Mobile Application Vulnerabilities in Hitachi Energy’s Asset Suite Product.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- July 15, 2025: Initial Republication of Hitachi Energy PSIRT 8DBD000212
