Hitachi Energy Asset Suite
Act Now9.1ICS-CERT ICSA-25-196-01Jul 15, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Hitachi Energy Asset Suite versions 9.6.4.4 and 9.7 contain cross-site scripting (XSS) vulnerabilities (CVE-2025-1484, CVE-2025-2500) that could allow authenticated users to inject malicious scripts. The Asset Suite AnyWhere for Inventory (AWI) Android mobile app version 11.5 and earlier contains authentication and privilege escalation vulnerabilities (CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290) with no fix planned. Successful exploitation could result in unauthorized access to asset management systems, remote code execution, or privilege escalation within the Asset Suite environment.
What this means
What could happen
An attacker with valid credentials could exploit cross-site scripting and mobile app vulnerabilities to execute code on the Asset Suite platform, potentially gaining unauthorized access to energy asset management systems. This could compromise visibility into critical infrastructure or allow manipulation of asset configurations.
Who's at risk
Energy utilities, grid operators, and generation facilities using Hitachi Energy Asset Suite for asset management and monitoring. Organizations deploying Asset Suite versions 9.6.4.4 or 9.7 for managing transformers, switchgear, or other electrical equipment are most at risk. The Android mobile app (AWI) affects field technicians and mobile asset inventory management workflows.
How it could be exploited
An attacker with valid Asset Suite credentials could inject malicious script through cross-site scripting (XSS) vulnerabilities to execute commands in the context of the web application. Alternatively, the Android mobile app (AWI) vulnerabilities could be exploited on connected devices to gain unauthorized access or escalate privileges within the Asset Suite environment.
Prerequisites
- Valid Asset Suite user credentials
- Web browser access to Asset Suite 9.6.4.4 or 9.7 web interface
- For mobile app: Android device with Asset Suite AnyWhere for Inventory (AWI) app version 11.5 or earlier installed
Requires valid credentials but affects internal users with legitimate accessLow technical complexity for exploitationCross-site scripting can be chained with social engineeringAndroid mobile app has no fix available (end-of-life or unsupported)CVSS 9.1 indicates high severity across confidentiality, integrity, and availability
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (3)
2 with fix1 EOL
ProductAffected VersionsFix Status
Asset Suite AnyWhere for Inventory (AWI) Android mobile app≤ 11.5No fix (EOL)
Asset Suite9.6.4.49.6.4.5
Asset Suite9.79.6.4.5
Remediation & Mitigation
0/7
Do now
0/5Asset Suite
HOTFIXUpdate Asset Suite from 9.6.4.4 to 9.6.4.5 immediately when the update becomes available
HOTFIXUpdate Asset Suite from 9.7 to 9.6.4.5 immediately when the update becomes available
HARDENINGSegregate Asset Suite from direct internet connections using firewall rules that restrict access to only required ports and authorized users
HARDENINGImplement network-based access controls to limit Asset Suite access to known, trusted engineering workstations only
Asset Suite AnyWhere for Inventory (AWI) Android mobile app
WORKAROUNDRestrict use of Asset Suite Android mobile app (AWI) until a patched version is available; consider disabling the mobile interface if not critical to operations
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Asset Suite
HARDENINGDisable unnecessary ports and services on Asset Suite servers, exposing only those required for operations
HARDENINGEnforce strong password policies and multi-factor authentication (MFA) for all Asset Suite user accounts
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/977c566c-c31e-4764-b579-fce5175f266c