Hitachi Energy Lumada APM
Monitor5.7ICS-CERT ICSA-23-012-07Jan 12, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Hitachi Energy Lumada APM versions 6.0.0.0 through 6.4.220601.0 (SaaS) and 6.0.0.0 through 6.4.0 (On Premises) contain an insufficient access control vulnerability affecting the Power BI integration feature. Users assigned the \"Limited Engineer\" role can access Power BI reports they should not have permission to view and can modify asset issue comments. This vulnerability is remediated in Lumada APM v6.4.0.1 and later for SaaS, and v6.5.0.0 and later for On Premises. Note: the On Premises edition does not natively support Power BI integration, but users can connect external subscription-based Power BI services.
What this means
What could happen
An attacker with "Limited Engineer" credentials could access unauthorized Power BI reports or modify asset issue comments, leading to potential exposure of sensitive operational data or corruption of asset records that operators depend on.
Who's at risk
Energy utilities using Hitachi Energy's Lumada APM (Asset Performance Management) for monitoring and managing critical infrastructure. This affects both cloud-based SaaS deployments and on-premises installations that have enabled Power BI reporting integration. Any organization with users assigned the \"Limited Engineer\" role is at risk.
How it could be exploited
An attacker with "Limited Engineer" role credentials connects to the Lumada APM system (either SaaS or On Premises with Power BI integration enabled). The attacker can then access Power BI reports they should not have permission to view, or modify comments on asset issues in the system. The attack requires valid credentials and user interaction or existing access to the application interface.
Prerequisites
- Valid "Limited Engineer" role credentials or ability to assign/obtain this role
- Lumada APM v6.0.0.0 through v6.4.220601.0 (SaaS) or v6.4.0 (On Premises) running
- For SaaS or On Premises with Power BI integration: Power BI integration feature must be enabled
- Network access to the Lumada APM application interface
Low exploitation complexityRequires valid credentialsAffects asset data visibility and integrityMay expose operational metrics or reports
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Lumada APM: Lumada APM - SaaS:≥ 6.0.0.0 | ≤ 6.4.220601.0v6.4.0.1
Lumada APM: Lumada APM - On Premises:≥ 6.0.0.0.0 | ≤ 6.4.0v6.5.0.0
Remediation & Mitigation
0/7
Do now
0/3WORKAROUNDDisable the Power BI integration feature if any users have the "Limited Engineer" role assigned
WORKAROUNDRemove all users with the "Limited Engineer" role from the system
WORKAROUNDAssign "Limited Engineer" users to a different role before enabling Power BI integration
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Lumada APM to v6.4.0.1 or later (SaaS) or v6.5.0.0 or later (On Premises)
Long-term hardening
0/3HARDENINGImplement network segmentation to isolate Lumada APM from direct internet access using firewalls with minimal exposed ports
HARDENINGPhysically restrict access to Lumada APM servers and workstations
HARDENINGRestrict Lumada APM workstations from internet browsing, email, and instant messaging
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1fa60ac5-dccb-4752-967f-c7a80e41d64d