Hitachi Energy Service Suite

Act NowCVSS 9.8ICS-CERT ICSA-25-261-05Sep 18, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A remote code execution vulnerability exists in Hitachi Energy Service Suite versions 9.6.0.4_EP4 and earlier due to unsafe deserialization in the underlying Oracle WebLogic Server component. The vulnerability allows unauthenticated attackers to execute arbitrary code on the Service Suite server with network access, potentially compromising confidentiality, integrity, and availability of the energy control system. The vulnerability is actively being exploited in the wild.

What this means

What could happen

An attacker could gain remote code execution on the Service Suite server, potentially compromising the entire energy management system and allowing manipulation of grid operations, SCADA data, or complete system shutdown.

Who's at risk

Energy utilities and generation facilities running Hitachi Energy Service Suite for SCADA operations, grid management, or energy control. This affects any organization using Service Suite versions 9.6.0.4_EP4 or earlier as their primary control system for power distribution or generation monitoring.

How it could be exploited

An attacker with network access to the Service Suite (typically port 80/443 or WebLogic ports) sends a malicious request that exploits unsafe deserialization in the underlying Oracle WebLogic Server. No authentication is required. Successful exploitation gives the attacker command execution on the Service Suite server, from which they could move laterally into OT systems or manipulate the energy control functions themselves.

Prerequisites

Network access to Service Suite web interface or WebLogic Server ports (typically 7001/7002)
Service Suite running version 9.6.0.4_EP4 or earlier
No authentication credentials required

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (94.4%)affects OT/SCADA systemspotential for grid-level impact

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (7 repositories)

Affected products (1)

ProductAffected VersionsFix Status

Service Suitevers:/≤ 9.6.0.4 EP49.8.2+

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXUpdate Service Suite to version 9.8.2 or later

WORKAROUNDRestrict network access to Service Suite ports to authorized networks only using firewall rules

HARDENINGIsolate the Service Suite server on a separate network segment from critical OT systems until patching is completed

Long-term hardening

0/1

HARDENINGDisable direct internet access to Service Suite; route all external access through a VPN gateway with separate authentication

CVEs (1)

CVE-2020-2883

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/853d4663-7e13-41e0-9305-45d4afc41de7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.