Hitachi ABB Power Grids Ellipse APM

MonitorCVSS 6.3ICS-CERT ICSA-21-110-01Apr 20, 2021

ABBHitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

A stored cross-site scripting (XSS) vulnerability in Hitachi ABB Power Grids Ellipse APM allows authenticated users or integrated applications to inject malicious HTML/JavaScript into the APM database through data import functions. When other users view the contaminated data via the APM web interface, the injected code executes in their browsers, potentially compromising session credentials or exposing sensitive information. The vulnerability affects Ellipse APM versions 5.3.0.1 and earlier. Exploitation requires valid APM credentials or configured API access for data imports. No public exploits are currently known.

What this means

What could happen

An authenticated user or external application could inject malicious JavaScript code into the Ellipse APM database, which would then execute in the browsers of other users who view that data, potentially allowing theft of session credentials or sensitive information.

Who's at risk

Energy utilities and power generation facilities operating Hitachi ABB Power Grids Ellipse APM asset and maintenance management systems. Risk is highest for organizations with external integrations that feed data into APM from third-party systems or where non-technical staff have import privileges.

How it could be exploited

An attacker with valid APM credentials, or an external system with API access configured for data import, could craft malicious HTML/JavaScript and inject it into APM through normal import functions (data uploads, API calls, Excel imports). When another user accesses the contaminated data in the web interface, the injected code runs in their browser with their permissions.

Prerequisites

Valid authenticated user account with 'Administrator' or 'Import' role in Ellipse APM
Network access to APM web interface or import APIs
Knowledge of APM data import mechanisms (Excel uploads, REST API, direct database integrations)

Requires valid authenticationLow complexity exploitationAffects web-based asset management systemNo patch available for older supported versions

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Ellipse APM:≤ 5.1.0.65.3.0.2, 5.2.0.4, 5.1.0.7+

Ellipse APM:≤ 5.2.0.35.3.0.2, 5.2.0.4, 5.1.0.7+

Ellipse APM:≤ 5.3.0.15.3.0.2, 5.2.0.4, 5.1.0.7+

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict 'Administrator' application role to fully trained, trusted staff who understand the risk of importing malicious data

HARDENINGAudit and restrict all API credentials and external application integrations to import only from trusted, validated data sources; implement input validation filters in source systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to Ellipse APM version 5.3.0.2, 5.2.0.4, or 5.1.0.7 or later

WORKAROUNDDeploy a Web Application Firewall (WAF) in front of APM web interfaces configured to block XSS payloads in HTTP requests, JSON/XML, and Excel file uploads

CVEs (1)

CVE-2021-27887

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0b21c898-88c4-40ea-b156-2e73513d31ee

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.