Hitachi Energy MSM Product

MonitorCVSS 7.5ICS-CERT ICSA-25-275-02Oct 2, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy MSM product versions 2.2.10 and earlier contain two vulnerabilities: HTML injection via the name parameter (CWE-79) that could allow code injection into the web interface, and an assertion failure in fuzz_binary_decode (CWE-617) that can crash the application. Both vulnerabilities require network access to the MSM system but no authentication. No vendor patch is planned. The product is designed for internal networks only and should not be exposed to the internet or untrusted network segments.

What this means

What could happen

An attacker could inject malicious HTML into the MSM interface through the name parameter or trigger an assertion failure that crashes the monitoring system, disrupting visibility into switchgear status and potentially causing undetected changes to critical electrical equipment configurations.

Who's at risk

Energy utilities operating Hitachi Energy Modular Switchgear Monitoring (MSM) systems for real-time monitoring of high-voltage switchgear and substations should prioritize isolation and access control. This affects anyone with MSM version 2.2.10 or earlier managing switchgear operations at utility substations, generation facilities, or transmission stations.

How it could be exploited

An attacker with network access to the MSM web interface could craft a request containing malicious HTML in the name parameter to inject code into the application, or send specially crafted binary data to trigger a denial-of-service crash. The device is not designed for internet exposure but could be compromised if accessible from the business network.

Prerequisites

Network access to the MSM web interface (typically internal network)
No authentication required to inject malicious HTML or trigger the assertion failure

Remotely exploitable from internal networksNo authentication requiredLow complexity attackNo vendor patch plannedCould disrupt visibility into critical switchgear status

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

MSM≤ 2.2.10No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGDisconnect MSM devices from any internet-facing networks and isolate them behind a firewall with minimal exposed ports

HARDENINGRestrict network access to MSM to authorized engineering personnel only; use firewall rules to limit which systems and users can reach the MSM web interface

HARDENINGScan all portable computers and removable media for malware before connecting them to any system with MSM access

Mitigations - no patch available

0/3

MSM has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement strict user access management on all computers running the MSM Client application, using OS-level controls to restrict who can execute the application

HARDENINGHarden all computers connected to MSM according to CIS Benchmarks (CIS Microsoft Windows Desktop and Server Benchmarks) to prevent lateral movement into MSM from compromised workstations

HARDENINGHarden web browsers on computers used to access MSM in accordance with CIS Critical Security Control 9: Email and Web Browser Protections

CVEs (2)

CVE-2023-53155 CVE-2024-53429

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2910af12-8f5e-493d-955f-f665787baf68

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.