Hitachi ABB Power Grids Ellipse EAM

Monitor5.5ICS-CERT ICSA-21-061-01Mar 2, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Ellipse EAM versions up to 9.0.25 contain cross-site scripting (CWE-79) and improper authorization (CWE-451) vulnerabilities that could allow an authenticated attacker with UI interaction to steal sensitive information, hijack user sessions, or compromise authentication credentials.

What this means

What could happen

An attacker with valid credentials could hijack a logged-in operator's session or steal authentication credentials, potentially gaining unauthorized access to the EAM system and its connected infrastructure.

Who's at risk

Power utilities and energy companies managing Ellipse EAM asset/maintenance software on versions 9.0.25 and earlier. This affects anyone using the system to plan maintenance, track equipment, or manage work orders for generation, transmission, or distribution assets.

How it could be exploited

An attacker with valid credentials logs into Ellipse EAM and crafts a malicious input or link that exploits the stored or reflected XSS vulnerability. When another user (ideally an engineer or administrator) clicks the link or views the page, the attacker's script runs in their session, capturing their authentication token or session cookie for hijacking.

Prerequisites

Valid Ellipse EAM user credentials (any role)
Target user must click a malicious link or view attacker-controlled content while logged in
Ellipse EAM must be accessible to the attacker's network

requires valid credentialsuser interaction required (clicking malicious link)low complexity exploitallows session hijackingaffects IT/OT asset management visibility

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

Ellipse EAM:≤ 9.0.259.0.23

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to Ellipse EAM to authorized engineering workstations only using firewall rules; close all unnecessary ports

HARDENINGEnsure Ellipse EAM has no direct Internet connection and is isolated from business/corporate networks by a firewall

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Ellipse EAM to version 9.0.26 (fixes both vulnerabilities) or at minimum 9.0.23

Long-term hardening

0/1

HARDENINGConduct security awareness training for all Ellipse EAM users on phishing and social engineering tactics, especially email links and attachments

CVEs (2)

CVE-2021-27416 CVE-2021-27414

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d167b0b9-87ce-451c-b596-673929a2166c