Hitachi Energy Asset Suite

Act NowCVSS 8.8ICS-CERT ICSA-25-261-04Sep 18, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Hitachi Energy Asset Suite versions 9.6.4.5 and earlier contain multiple open-source software vulnerabilities affecting Apache XML Graphics Batik, logback, H2 Database Engine, Apache CXF, UriComponentsBuilder, and Apache ActiveMQ. These flaws could allow attackers to trigger resource exhaustion, leak sensitive data (including cleartext passwords), cause denial-of-service, perform server-side request forgery (SSRF) and open redirect attacks, or execute arbitrary code on the Asset Suite application server.

What this means

What could happen

An attacker with local access or the ability to trick a user into opening a malicious file could cause the Asset Suite to consume excessive resources, leak sensitive data, stop responding (denial-of-service), or in the worst case execute arbitrary code on the application server.

Who's at risk

Energy utilities and equipment asset management teams using Hitachi Energy Asset Suite for inventory, monitoring, or control system documentation are affected. This includes organizations managing power generation, transmission, and distribution equipment that rely on Asset Suite for operational data.

How it could be exploited

An attacker could exploit SSRF vulnerabilities in Batik to make the application fetch remote resources, abuse ActiveMQ messaging to run arbitrary commands, or trigger denial-of-service through logback data poisoning. Most vectors require local file system access or social engineering to get a user to load a crafted document into Asset Suite.

Prerequisites

Local file system access or ability to upload/open files in Asset Suite
User interaction to open a malicious file or trigger the vulnerable code path
For some vectors, the ability to send crafted network requests if Asset Suite is exposed to untrusted networks

high EPSS score (93.6%)multiple remote code execution vectorsno authentication required for some attack pathsaffects IT infrastructure managing critical OT systemsrequires user interaction or local access but consequences are severe

Exploitability

Likely to be exploited — EPSS score 93.1%

Public Proof-of-Concept (PoC) on GitHub (3 repositories)

Affected products (1)

ProductAffected VersionsFix Status

Asset Suite≤ 9.6.4.59.7

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to Asset Suite from untrusted sources; ensure it is not exposed directly to the internet or business networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Asset Suite to version 9.7 or later

HARDENINGLimit local file system access to Asset Suite; restrict which directories and files the application can read or write

Long-term hardening

0/1

HARDENINGImplement user awareness training to prevent opening untrusted or unexpected files in Asset Suite

CVEs (6)

CVE-2022-44729 CVE-2023-6378 CVE-2022-45868 CVE-2025-23184 CVE-2024-22262 CVE-2022-41678

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c0f5583f-b3aa-4b69-a845-108f0b78d9d1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.