Hitachi Energy Service Suite
Act Now9.8ICS-CERT ICSA-25-261-05Sep 18, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A remote code execution vulnerability exists in Oracle WebLogic Server running within Hitachi Energy Service Suite versions 9.6.0.4 EP4 and earlier. The vulnerability stems from unsafe deserialization that allows an unauthenticated network attacker to execute arbitrary code on the Service Suite system. This could compromise the confidentiality, integrity, and availability of the Service Suite and any connected operational systems. The vulnerability is being actively exploited in the wild. Hitachi Energy recommends upgrading to Service Suite version 9.8.2 or later. For versions that cannot be immediately patched, network isolation and firewall rules should be applied to restrict access to WebLogic Server ports.
What this means
What could happen
An attacker with network access to the Service Suite could execute arbitrary code on the system, potentially compromising the integrity and availability of energy management operations, including SCADA data processing, control commands, and business systems that coordinate with operational technology.
Who's at risk
This affects operators and administrators of Hitachi Energy Service Suite deployments in electrical utilities, industrial facilities, and energy management operations. Specifically, any organization using Service Suite versions 9.6.0.4 EP4 or earlier for SCADA data management, grid operations coordination, or control system integration should treat this as critical.
How it could be exploited
The vulnerability exists in Oracle WebLogic Server running within the Service Suite. An attacker on the network can send a specially crafted request to the WebLogic Server port (typically 7001) without authentication to trigger unsafe deserialization (CWE-502), resulting in remote code execution. Once code runs with Service Suite privileges, the attacker could access or modify operational data, disrupt services, or establish persistence.
Prerequisites
- Network access to the WebLogic Server port on the Service Suite system (default port 7001)
- Service Suite version 9.6.0.4 EP4 or earlier
- No authentication required
Remotely exploitableNo authentication requiredLow complexity attackActively exploited (KEV)Extremely high exploit probability (94.4% EPSS)Affects critical energy infrastructureUnsafe deserialization (CWE-502)
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
Service Suitevers:/≤ 9.6.0.4 EP49.8.2 or later
Remediation & Mitigation
0/4
Do now
0/2HOTFIXUpdate Service Suite from version 9.6.0.4 EP4 or earlier to version 9.8.2 or latest
WORKAROUNDRestrict network access to Service Suite to authorized administrative workstations and management networks only; implement firewall rules to block external connectivity to WebLogic Server ports (default 7001)
Long-term hardening
0/2HARDENINGIsolate the Service Suite and any systems it manages from the business network using network segmentation or air-gapping where operationally feasible
HARDENINGIf remote access to the Service Suite is required, route traffic through a VPN appliance with current security updates and access controls; monitor VPN logs for suspicious authentication attempts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/853d4663-7e13-41e0-9305-45d4afc41de7