Hitachi Energy TropOS

Plan PatchCVSS 8.8ICS-CERT ICSA-25-303-02Oct 30, 2025

Hitachi EnergyEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy TropOS 4th Gen firmware versions 8.9.6.0 and earlier contain command injection (CWE-78) and privilege escalation (CWE-269) vulnerabilities. An authenticated attacker could inject commands or escalate privileges to execute arbitrary code with elevated rights on the device. Hitachi Energy has released a fix in version 8.9.7.0.

What this means

What could happen

An attacker with valid credentials to TropOS could inject commands or escalate privileges to gain full control of the device, potentially altering settings, stopping operations, or disrupting energy distribution.

Who's at risk

This affects Hitachi Energy TropOS 4th Gen devices deployed in energy and manufacturing operations that manage power distribution, generation, or process control. Operators of generation facilities, substations, and industrial control systems using TropOS should treat this as a priority.

How it could be exploited

An attacker with authenticated access to TropOS exploits insufficient input validation (CWE-78) or improper privilege checks (CWE-269) to inject system commands or escalate their privileges. This could allow them to execute arbitrary code with elevated rights on the device.

Prerequisites

Valid authentication credentials to TropOS (engineering workstation login or authorized access)
Network access to TropOS management interface
Running affected firmware version 8.9.6.0 or earlier

Remotely exploitable (authenticated)Requires valid credentialsAffects control systemsLow complexity exploitation

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

TropOS 4th Gen Firmware: <=8.9.6.0≤ 8.9.6.08.9.7.0

TropOS 4th Gen Firmware: <8.9.6.0<8.9.6.08.9.7.0

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to TropOS management interface to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TropOS 4th Gen firmware to version 8.9.7.0 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate TropOS devices from business networks and the Internet

HARDENINGDisable direct Internet connectivity to TropOS devices; use VPN with multi-factor authentication if remote access is required

CVEs (3)

CVE-2025-1036 CVE-2025-1037 CVE-2025-1038

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f6954d4f-a5b1-4e7b-b656-b17a35c81214

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.