Hitachi Energy TRMTracker

Monitor6.9ICS-CERT ICSA-25-093-02Apr 3, 2025

Summary

Multiple vulnerabilities in Hitachi Energy TRMTracker (CWE-90 command injection, CWE-74 improper input neutralization, CWE-79 cross-site scripting) allow attackers to execute limited remote commands, poison web cache responses, and disclose or modify sensitive information. Affected versions: TRMTracker 6.2.04 and earlier, and versions 6.3.0/6.3.01. Vendor has released fixes: v6.2.04.014, v6.3.02.

What this means

What could happen

An attacker could execute limited remote commands on TRMTracker systems, poison web caches to serve malicious content, or access and modify sensitive operational data. This could disrupt energy management operations or compromise the integrity of tracking and reporting systems.

Who's at risk

Energy utilities and companies managing transmission or resource operations using Hitachi Energy TRMTracker for system tracking and management. Affected versions include TRMTracker 6.2.04 and earlier, and versions 6.3.0 and 6.3.01.

How it could be exploited

An attacker with network access to TRMTracker could exploit command injection (CWE-90), improper input neutralization (CWE-74), or cross-site scripting (CWE-79) vulnerabilities to inject malicious code, manipulate web responses, or execute commands on the system. The attack requires network reachability to the TRMTracker interface.

Prerequisites

Network access to the TRMTracker web interface
Vulnerable version running (6.2.04 or earlier, or 6.3.0/6.3.01)
No authentication mentioned as a prerequisite

remotely exploitablelow CVSS score but functional impactcommand injection and injection flawsno authentication requirements mentioned

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

TRMTracker≤ 6.2.046.2.04.014 or update to version 6.3.02

TRMTracker6.3.0|6.3.016.3.02

Remediation & Mitigation

0/7

Do now

0/3

TRMTracker

WORKAROUNDImplement firewall rules to restrict network access to TRMTracker, exposing only the minimum necessary ports

HARDENINGEnsure TRMTracker is separated from direct Internet connections and isolated on a dedicated process control network

HARDENINGDisable or restrict Internet-facing features like web browsing and email on systems running TRMTracker

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

TRMTracker

HOTFIXUpdate TRMTracker versions 6.2.04 and below to v6.2.04.014 or v6.3.02

HOTFIXUpdate TRMTracker versions 6.3.0 and 6.3.01 to v6.3.02

Long-term hardening

0/2

TRMTracker

HARDENINGEnforce strong password policies and enforce authentication controls for TRMTracker administrative access

HARDENINGScan portable devices and removable media for malware before connecting to the TRMTracker network

CVEs (3)

CVE-2025-27631 CVE-2025-27632 CVE-2025-27633

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7b598e5f-0640-4d67-bf55-4b041cc265f5