Hitachi Energy MSM

MonitorCVSS 6.1ICS-CERT ICSA-25-182-07Jul 1, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Hitachi Energy MSM 2.2.9 contains a cross-site scripting (XSS) vulnerability in its web interface due to a jQuery vulnerability. Successful exploitation allows an attacker to execute untrusted code in the context of an authenticated user's browser session, potentially leading to unauthorized actions or system compromise. No patch is available; the product is end-of-life.

What this means

What could happen

An attacker could execute arbitrary code in MSM through a client-side vulnerability, potentially leading to unauthorized actions or compromise of the system if a user visits a malicious page or clicks a crafted link.

Who's at risk

Energy utilities and operators who use Hitachi Energy MSM for substation or network management should be concerned. MSM is a management and supervision tool used to monitor and configure energy infrastructure; if compromised, an attacker could alter configurations or gain visibility into critical energy assets.

How it could be exploited

An attacker crafts a malicious web page or link that injects JavaScript code into the MSM web interface. When a user with access to MSM clicks the link or visits the page in their browser, the injected code executes in the context of their MSM session, allowing the attacker to perform actions as that user.

Prerequisites

User must access MSM web interface via web browser
User must click a malicious link or visit a crafted webpage while authenticated or session is active
No special network positioning required; can be delivered remotely

No authentication required for exploitation if attacker controls the link/pageLow complexity attack (client-side code injection)Requires user interaction (clicking link)No vendor patch availableAffects management/control system

Exploitability

Some exploitation risk — EPSS score 2.5%

Public Proof-of-Concept (PoC) on GitHub (3 repositories)

Affected products (1)

ProductAffected VersionsFix Status

MSM 2.2.9≤ 2.2.9No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to MSM to authorized personnel only; do not expose the MSM web interface to the internet

HARDENINGEducate MSM users to avoid clicking untrusted links when logged into MSM, especially from external sources or email

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to isolate MSM behind firewalls and away from business networks

Mitigations - no patch available

0/1

MSM 2.2.9 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRequire use of a VPN for any remote access to MSM; ensure VPN is updated to the latest version

CVEs (1)

CVE-2020-11022

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dff7cfac-41c4-417a-863b-d43510487de7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.