Hitachi Energy MACH GWS

Plan Patch7.1ICS-CERT ICSA-25-289-11Oct 16, 2025

Summary

MACH GWS versions 3.0.0.0 through 3.4.0.0 contain three vulnerabilities: improper file permissions (CWE-276) allow unauthorized modification of system files, an unspecified issue (CWE-354) can cause denial of service, and missing certificate validation (CWE-295) enables man-in-the-middle attacks on network communications. These vulnerabilities affect the gateway's ability to securely manage process data and system integrity in energy infrastructure deployments.

What this means

What could happen

An attacker could modify system files, disrupt MACH GWS operations, or intercept network communications between the gateway and connected systems, potentially affecting grid management or process visibility.

Who's at risk

Energy sector operators managing grid operations, RTU communications, or process monitoring through MACH GWS gateways (versions 3.0.0.0 through 3.4.0.0) should prioritize this vulnerability. Impact applies to any deployment handling SCADA data, remote terminal unit coordination, or substation gateway functions.

How it could be exploited

An attacker with network access to MACH GWS can exploit improper file permissions to tamper with system configuration files, trigger resource exhaustion to cause denial of service, or position themselves on the network path to perform man-in-the-middle attacks on unencrypted or improperly validated communications.

Prerequisites

Network access to MACH GWS management interface or services
System deployed without network segmentation from untrusted networks
No detection of outbound TLS/certificate validation enforcement

remotely exploitablelow complexityaffects energy infrastructurefile permission issues enable privilege escalationno encryption validation allows man-in-the-middle attacks

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

MACH GWS 3.0.0.0 to 3.4.0.0≥ 3.0.0.0, ≤ 3.4.0.03.5

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGImplement network segmentation: isolate MACH GWS on a separate VLAN with firewall rules allowing only essential management and data ports

HARDENINGReview and restrict file system permissions on MACH GWS to limit who can read or modify system files

HARDENINGImplement firewall rules to block direct internet access from MACH GWS and limit inbound connections to authorized management stations only

HARDENINGEnforce strong password policies for all MACH GWS user accounts and service accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MACH GWS to version 3.5 or later

Long-term hardening

0/1

HARDENINGScan portable media and removable storage for malware before connecting to MACH GWS or connected systems

CVEs (3)

CVE-2025-39201 CVE-2025-39203 CVE-2025-39205

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/57651e66-f93a-40ce-9915-15e19e50cd5c