Hitachi Energy MACH GWS

Plan PatchCVSS 7.1ICS-CERT ICSA-25-289-11Oct 16, 2025

Hitachi EnergyEnergy

Summary

Hitachi Energy MACH GWS versions 3.0.0.0 through 3.4.0.0 contain multiple vulnerabilities (CWE-276 improper access control, CWE-354 improper validation of integrity check value, CWE-295 improper certificate validation) that could allow an attacker to tamper with system files, cause a denial of service, or perform a remote man-in-the-middle attack.

What this means

What could happen

An attacker could modify critical GWS system files, disrupt the gateway's operation causing loss of grid management visibility, or intercept and alter unencrypted communications between the gateway and control systems.

Who's at risk

Energy sector operators running Hitachi Energy MACH GWS as a grid management gateway or SCADA edge device. This includes utilities operating generation, transmission, and distribution control systems that rely on GWS for protocol translation or state visibility.

How it could be exploited

An attacker with network access to the MACH GWS system could exploit improper integrity checking and certificate validation to intercept communications or modify system files, potentially altering how the gateway processes or forwards grid control commands.

Prerequisites

Network access to the MACH GWS system
GWS system running version 3.0.0.0 through 3.4.0.0

remotely exploitableimproper certificate validation enables man-in-the-middle attacksaffects critical energy infrastructure gatewaymultiple CWE vulnerabilities in access control and validation

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

MACH GWS 3.0.0.0 to 3.4.0.0≥ 3.0.0.0, ≤ 3.4.0.03.5

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate MACH GWS from direct Internet connections and limit network access via firewall to only required operational ports

HARDENINGEnforce strong password policies and restrict administrative access to GWS systems

WORKAROUNDScan portable computers and removable storage media for malware before connecting to the GWS system or connected networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MACH GWS to version 3.5 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation between MACH GWS and untrusted networks

CVEs (3)

CVE-2025-39201 CVE-2025-39203 CVE-2025-39205

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/57651e66-f93a-40ce-9915-15e19e50cd5c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.