Hitachi Energy Lumada Asset Performance Management Prognostic Model Executor Service
Act Now7.5ICS-CERT ICSA-22-286-05Oct 13, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary
Hitachi Energy Lumada Asset Performance Management (APM) versions 6.0.0.0 through 6.3.0.2 contain vulnerabilities (CWE-770, CWE-94) in the Prognostic Model Executor service that could allow remote code execution and crash the service. The SaaS version (6.3.220323.0 and prior) is also affected. On-premises versions require a patch or upgrade to a newer major version. The SaaS environment has already been remediated by Hitachi Energy.
What this means
What could happen
An attacker with API access and valid credentials could execute arbitrary commands on the Prognostic Model Executor service, potentially disrupting asset health assessments and operational decisions. Alternatively, the service could be crashed, halting condition assessment calculations across all monitored assets.
Who's at risk
Energy utilities and industrial asset operators using Hitachi Energy Lumada APM for condition-based maintenance and prognostic monitoring are affected. This applies to both on-premises deployments (versions 6.0–6.3) and cloud-hosted SaaS instances using the application to assess equipment health for power generation, distribution, and other critical assets.
How it could be exploited
An attacker with valid "Administrator" or "Import" role API credentials could send a crafted request to the Prognostic Model Executor service over the network, triggering code execution or a denial of service. No additional user interaction is required once credentials are obtained.
Prerequisites
- Valid API credentials with Administrator or Import role privileges
- Network access to the Lumada APM API endpoint
- Knowledge of the target APM version and API structure
Actively exploited (KEV)Remotely exploitableHigh EPSS score (94.4%)Valid credentials required but role-based access is common in multi-user environmentsAffects condition-based maintenance and monitoring systems critical to asset management decisions
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (2)
2 pending
ProductAffected VersionsFix Status
Lumada Asset Performance Manager (APM) - Lumada Asset Performance Manager (APM) online service (SaaS)≤ 6.3.220323.0No fix yet
Lumada Asset Performance Manager (APM) - Lumada Asset Performance Manager (APM)≥ 6.0.0.0 | ≤ 6.0.0.4; 6.1.0.0 | 6.1.0.1; ≥ 6.2.0.0 | ≤ 6.2.0.2; ≥ 6.3.0.0 | ≤ 6.3.0.2No fix yet
Remediation & Mitigation
0/7
Do now
0/5Lumada Asset Performance Manager (APM) - Lumada Asset Performance Manager (APM) online service (SaaS)
HOTFIXApply the vendor patch for your APM version: 6.0.0.5, 6.1.0.2, 6.2.0.4, or 6.3.0.3 depending on your current version
HARDENINGEnsure the Lumada APM API endpoint is not directly accessible from the internet; place it behind a firewall and isolate from business networks
All products
HOTFIXUpgrade to a newer unaffected major version (6.2.0.3 or 6.4.0.0) if patch application is not feasible
WORKAROUNDDisable the Prognostic Model Executor service immediately if patching cannot be completed within 48 hours; be aware this will halt asset condition assessments until remediation is applied
HARDENINGRestrict API access to the Prognostic Model Executor by limiting and controlling which users hold Administrator or Import role privileges in accordance with least privilege principle
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXAfter restoring the Prognostic Model Executor service following remediation, trigger manual recalculation of asset condition for all monitored assets to recover any missed assessments
Long-term hardening
0/1Lumada Asset Performance Manager (APM) - Lumada Asset Performance Manager (APM) online service (SaaS)
HARDENINGIf remote access to APM is required, use a VPN with current security patches and enforce multi-factor authentication for API credential access
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9499da9e-f273-446d-a40e-b52714203a3a